This month focuses on the new Specula Tool exploiting Microsoft Outlook, the botched CrowdStrike Windows Systems Update, the InfoStealer Campaign exploiting a Microsoft SmartScreen Bug, and the ongoing Phobos Ransomware campaign. 

Specula Remote Code Execution Tool

A new red team post-exploitation framework named “Specula” was released by TrustedSec, allowing Microsoft Outlook to be turned into a command-and-control (C2) beacon to remotely execute code.

Summary

• Specula exploits CVE-2017-11774, a vulnerability initially patched in October 2017, by creating a custom Outlook Home Page using WebView.
• Despite the patch, attackers can still set malicious home pages using Windows Registry values, affecting even the latest Office 365 builds.
• Specula operates in Outlook’s context, setting a custom home page via registry keys that call an interactive Python web server to serve VBScript files, allowing arbitrary command execution.
• Attackers can leverage this technique for persistence and lateral movement, as outlook.exe is a trusted process, making it easier to evade detection.
• Read more about Satanstealer here.

The botched CrowdStrike Windows Systems Update

On July 19, Crowdstrike released a software update for its Falcon anti-malware software, causing Windows to crash on an estimated 8.5 million PCs and servers worldwide.

Summary

• The update led to blue screens of death (BSODs) on nearly all subscribers’ PCs, affecting industries such as airlines, logistics, financial institutions, hospitals, emergency services, broadcast studios, retailers, and Microsoft Cloud Services.
• The crash required manual restarts of the affected Windows machines, creating significant challenges for inaccessible embedded controllers.
• The incident is estimated to have caused several billion dollars in economic losses, with the airline industry alone potentially losing around $5 billion.
• Bad actors exploited the situation by setting up scam sites offering fake fixes for the Crowdstrike issue.
• Crowdstrike reportedly sent $10 Uber Eats gift cards to partners and teammates as compensation for the disruption.
• The crash was traced to a faulty .sys configuration file containing zeroes, causing Falcon to throw a page fault and halt the machine due to its kernel-level driver installation.
• Recovery involved booting into Safe Mode, deleting the faulty configuration file, and rebooting, but this process was complicated by the need for physical access to affected PCs, many of which were used as embedded systems.
• Read more here

InfoStealer Campaign exploiting a Microsoft SmartScreen Bug

vulnerability in Microsoft Defender SmartScreen (CVE-2024-21412) patched in February is still being exploited in global infostealing attacks.

Summary

• The vulnerability, rated “high” severity with an 8.1 CVSS score, was disclosed and fixed on February 13 but continues to be used in campaigns involving stealers like Lumma Stealer, Water Hydra, and DarkGate.
• Recently, Fortinet identified new attacks involving Meduza and ACR stealers, impacting organizations globally.
• The exploit involves disabling SmartScreen’s protective notifications, allowing attackers to bypass security alerts.
• Attackers use PowerShell tricks and hide attacks in images, leveraging how images are processed to inject malicious code.
• The attack chain includes downloading a shortcut (LNK) file, which retrieves an executable with PowerShell code to download decoy PDF files and malicious code injectors.
• Malicious code is hidden in JPG image files, decoded using Windows API to bypass detection, and then planted inside legitimate Windows processes to steal data.
• The targeted data includes information from browsers, crypto wallets, messenger apps, password managers, VPN apps, email clients, and FTP clients, affecting organizations lagging in applying Windows patches.
• Read more here.

Ongoing Phobos Ransomware Campaign

ngCERT has observed an increase in ransomware attacks by the Phobos group, targeting critical cloud service providers in Nigeria, particularly those servicing government agencies, financial institutions, telecommunications, education, healthcare, service providers, and NGOs.

Summary

• Phobos attackers typically infiltrate networks via phishing campaigns, IP scanning tools like Angry IP Scanner to find vulnerable RDP ports, and brute force attacks on exposed RDP services.
• The attackers use spoofed email attachments with hidden payloads, such as SmokeLoader, to initiate infections and execute commands like 1saas.exe or cmd.exe to install Phobos payloads with elevated privileges.
• Phobos ransomware employs evasion techniques like modifying firewall configurations, using Universal Virus Sniffer and Process Hacker, and leveraging token theft and privilege escalation through Windows API functions.
• Tools like Bloodhound and Sharphound are used for active directory enumeration, Mimikatz for credential extraction, and WinSCP/Mega.io for file exfiltration, targeting data types such as legal, financial, technical, and database files.
• After exfiltrating data, Phobos ransomware deletes volume shadow copies, encrypts connected drives, and communicates ransom demands through unique notes, emails, voice calls, instant messaging platforms, and onion sites.
• Indicators of compromise include the email finamtox@zohomail.eu, the file extension .xshell, and file format filename.id[xxxxxx-xxxx].email.xshell.
• Organizations are advised to secure RDP ports, prioritize remediation of known vulnerabilities, implement EDR solutions, disable unnecessary command-line and scripting activities, segment networks, review and audit user accounts, implement time-based access for admin accounts, maintain encrypted and immutable backups, and ensure real-time antivirus detection.
• Read more here

If you suspect a breach or want to report any digital security concerns, kindly contact our helpdesk (help@cchub.africa).

Sources

• https://www.bleepingcomputer.com/news/security/new-specula-tool-uses-outlook-for-remote-code-execution-in-windows/
• https://www.eejournal.com/article/the-day-the-earth-stood-still-2024-edition-crowdstrike-anti-malware-software-update-crashed-the-world/
• https://www.darkreading.com/vulnerabilities-threats/cyberattackers-exploit-microsoft-smartscreen-bug-in-stealer-campaign
• https://cert.gov.ng/advisories/escalation-of-ransomware-attack-in-nigeria