Jun 26 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that wishes hackers would infiltrate Gareth Southgateβs playbook and apply some much needed βpatchesβ πππ #England #EURO2024
Todayβs hottest cybersecurity news stories:
π Microsoft Management Console is under attack π¨π»βπ»
β οΈ Boolka threat deploys BMANAGERΒ trojan via SQL π΄
π¦ΉββοΈ Hackers create rogue admin accounts in WordPress π»
π‘οΈ New Attack Technique Uncovered! πΎ Threat actors are exploiting a novel attack method called GrimResource, leveraging specially crafted Management Saved Console (MSC) files to gain full code execution via Microsoft Management Console (MMC). This technique, identified by Elastic Security Labs, evades security defences effectively. π οΈ
π Discovery and Impact π
On June 6, 2024, an artefact named "sccm-updater.msc" was found on the VirusTotal malware scanning platform, marking the discovery of GrimResource. When imported, these malicious console files exploit a vulnerability in MMC libraries, enabling attackers to run arbitrary code, including malware. π₯οΈπ
π How It Works π§©
GrimResource uses a cross-site scripting (XSS) flaw in the apds.dll library, reported back in 2018 but still unpatched. By referencing the vulnerable APDS resource in the StringTable section of a malicious MSC file, attackers trigger JavaScript code execution within MMC. This method bypasses ActiveX warnings and can be combined with DotNetToJScript for arbitrary code execution. π§π£
π οΈ Real-World Examples π
In a similar vein, the Kimsuky hacking group recently used a malicious MSC file to deliver malware. However, GrimResource's technique is unique in its exploitation of the XSS flaw to launch a .NET loader, PASTALOADER, which facilitates the deployment of Cobalt Strike. π¨
π Evolving Threat Landscape π
With Microsoft disabling Office macros by default for internet-sourced documents, attackers have shifted to alternative vectors like JavaScript, MSI files, and LNK objects. However, these methods are now heavily scrutinised by defenders. GrimResource offers a new way to execute arbitrary code in MMC, showing how threat actors continually adapt to circumvent security measures. π‘οΈπ΅οΈββοΈ
π Stay Protected! π‘οΈ
Be Vigilant: Monitor for unusual MSC files and scrutinise them before opening.
Update Regularly: Ensure your security systems are updated to detect and mitigate such novel threats.
Educate: Inform your team about the risks associated with MSC files and other unconventional malware vectors.
Stay safe and proactive against evolving cyber threats! ππ
π‘οΈ Emerging Cyber Threat! π A newly discovered threat actor named Boolka has been compromising websites using malicious scripts to deliver a modular trojan called BMANAGER. Since 2022, Boolka has been executing opportunistic SQL injection attacks across various countries. ππ
π΅οΈββοΈ How Boolka Operates π
Boolka injects malicious JavaScript into vulnerable websites. This script intercepts user data and communicates with a command-and-control server at "boolka[.]tk". It collects user inputs, encoding them in Base64, and redirects users to a fake loading page prompting them to download a browser extension. This extension is actually a downloader for the BMANAGER trojan. π₯οΈπ£
πΎ BMANAGER's Capabilities π§©
Once installed, BMANAGER deploys four additional modules:
BMBACKUP: Harvests files from specified paths.
BMHOOK: Tracks running applications and keyboard focus.
BMLOG: Logs keystrokes.
BMREADER: Exports stolen data.
It establishes persistence on the host system using scheduled tasks and stores data in a local SQL database located at: C:Users{user}AppDataLocalTempcoollog.db. ποΈπ
π¨ SQL Injection Attacks in Action π οΈ
Boolka's method of injecting malicious JavaScript snippets into websites for data exfiltration reflects a sophisticated approach to cyber attacks. This technique has also been used by other threat actors like GambleForce and ResumeLooters. π΅οΈββοΈπ
π Increasing Sophistication π
Boolka's evolution from simple SQL injection attacks in 2022 to developing its own malware delivery platform and trojans like BMANAGER highlights the growing sophistication of their tactics. Utilizing the BeEF framework for malware delivery demonstrates their advancing capabilities. ππ
π‘οΈ Protect Your Websites! π‘οΈ
Monitor for Malicious Scripts: Regularly check your websites for unauthorised JavaScript code.
Update Security Measures: Ensure all software and security protocols are up to date to defend against SQL injection attacks.
Educate Users: Inform users about the risks of downloading unknown browser extensions.
Stay vigilant and safeguard your digital presence against emerging threats like Boolka! π¨π
Stay ahead of the curve with Presspool.ai! π Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." π€π‘ Thatβs us, alright! π€΅ How about you? Visionary AI executive, much? π
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business π€π©βπ»π
Rest assured, the process is very straightforward.
You simply:
π Sign Up & Create Campaign
π Define your audience, budget, and message to captivate your audience.
π Launch your campaign, as Presspoolβs AI matches it with ideal newsletter audiences for optimal reach and conversions. π―
π΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. π Elevate your marketing game and stay informed with Presspool.ai! π Simples! π¦¦
Presspool.aiΒ π°ππ€ may just have what you need to succeed. And if the product isnβt for you, the newsletter alone is a gamechanger. And we know newsletters π
β οΈ Alert: Malicious Code Injection! πΎ Multiple WordPress plugins have been compromised, allowing attackers to create rogue administrator accounts and execute arbitrary actions. Wordfence security researcher Chloe Chamberland raised the alarm on Monday, highlighting the severity of the threat. π¨
π οΈ How It Works π§©
The injected malware creates new admin accounts with usernames "Options" and "PluginAuth." These accounts' details are sent back to an attacker-controlled server at IP address 94.156.79[.]8. Additionally, malicious JavaScript is inserted into the website footers, spreading SEO spam across affected sites. π
π Timeline and Impact π
The earliest signs of this software supply chain attack date back to June 21, 2024. The affected plugins, now removed from the WordPress plugin directory, include:
Social Warfare 4.4.6.4 β 4.4.7.1 (30,000+ installs)
Blaze Widget 2.2.5 β 2.5.2 (10+ installs)
Wrapper Link Element 1.0.2 β 1.0.3 (1,000+ installs)
Contact Form 7 Multi-Step Addon 1.0.4 β 1.0.5 (700+ installs)
Simply Show Hooks 1.2.1 (4,000+ installs)
π What You Should Do π‘οΈ
Users of these plugins are strongly advised to:
Inspect Your Site: Look for suspicious admin accounts ("Options" and "PluginAuth") and delete them.
Remove Malicious Code: Check for and eliminate any injected JavaScript in your website footers.
Update Plugins: Ensure all plugins are updated to their latest patched versions where available.
π Stay Safe and Vigilant! π‘οΈ
Monitor: Regularly monitor your site for unauthorised changes.
Backup: Keep regular backups of your site to quickly recover from attacks.
Educate: Stay informed about potential threats and security best practices.
By taking these steps, you can help protect your website from further attacks and maintain a secure online presence. ππ
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!