The nature of the flaw in Microsoft Teams allows performing an attack in which the recipient of a message does not need to perform any sort of action – exploitation will occur just by reading it. And what comes as a real surprise is a fact that the zero-click remote code execution vulnerability did not receive a CVE. Considering how many companies rely on MS Teams as a collaboration software, it is extremely important that organizations prioritize patching this vulnerability. And not giving it a CVE sends a bad message.
Watch out for zero-click, wormable flaw in Microsoft Teams
Security engineer, Oskars Vegeris from Evolution Gaming disclosed technical details about a wormable, cross-platform bug in Microsoft Teams that could allow stealth attacks.
The flaw is a cross-site scripting (XSS) issue that impacts the ‘teams.microsoft.com’ domain. It could be exploited by an attacker to achieve remote code execution in the MS Teams desktop app.
A crook could exploit the flaw by sending a specially crafted message to any Microsoft Teams user or channel which will execute arbitrary code on victim PC’s with NO USER INTERACTION.
Remote Code Execution has been achieved in desktop applications across all supported platforms (Windows, macOS, Linux). It gives attackers full access to victim devices and company internal networks via those devices
Even without gaining arbitrary code execution, the attacker could exploit the XSS flaw to obtain SSO authorization tokens for MS Teams or other Microsoft services (e.g. Skype, Outlook, Office365). The issue could also allow attackers to access confidential conversations and files from the communications service.
The researcher pointed out that the attack is stealth so it doesn’t require any user interaction and there are no indicators of compromise for this attack. The flaw is also ‘wormable,’ this means that it is possible to automatically repost the exploit payload to other companies, channels, users without interaction
Successful exploitation could cause complete loss of confidentiality and integrity for end-users, attackers could access sensitive info into private chats, files, internal network, along with private keys and personal data outside MS Teams
Unfortunately, IT giant rated the issue “Important, Spoofing” which is one og the lowest in-scope ratings possible. Wouldn’t even issue a CVE number for the vulnerability, because issues in Microsoft Teams are fixed via automatic updates.
Amnesia:33 vulnerabilities affect millions of IoT devices
A new set of serious vulnerabilities affecting TCP/IP stacks has been discovered impacting millions of routers and IoT and OT devices from more than 150 vendors.
Most of the flaws stem from memory corruption – hence the „Amnesia:33” name. The 33 vulnerabilities – four of which are critical – could enable a range of malicious attacks:
- Remote code execution (RCE) to take control of a target device.
- Denial of service (DoS) to impair functionality and impact business operations.
- Information leak (infoleak) to acquire potentially sensitive information.
- DNS cache poisoning attacks to point a device to a malicious website.
The flaws are found in four (out of seven analyzed) TCP/IP stacks (including uIP, picoTCP, FNET and Nut/Net), which are a set of communication protocols used by internet-connected devices. Because multiple open-source TCP/IP stacks are affected, which are not owned by a single company, it presents tough patch management challenges for Amnesia:33.
TCP/IP issues have previously been found with related vulnerability sets, Ripple20 and Urgent/11.
Exploiting these vulnerabilities could allow an attacker to take control of a device, thus using it as an entry point on a network (for internet-connected devices), as a pivot point for lateral movement, as a persistence point on the target network or as the final target of an attack.
However, exploiting any devices using one of the Amnesia:33 bugs depends on which devices a company uses and where the devices are deployed across its network. For example, routers can be exploited remotely, as they are usually connected to a company’s external interface. Other devices, like sensors and industrial equipment, might require that attackers gain access to a company’s internal network first.
In terms of mitigation, researchers recommend various coursees of action in protecting networks from the Amnesia:33 flaws, including disabling or blocking IPv6 traffic when it’s not necessary; configuring devices to rely on internal DNS servers as much as possible; and monitoring all network traffic for malformed packets that try to exploit known flaws.
‘Free’ Cyberpunk 2077 downloads lead to data harvesting
It was pretty obvious that the hotly anticipated game featuring a digital Keanu Reeves as a major character is going to be used as a lure for cyberattacks. Cyberpunk 2077 officially came out on Dec. 10 and immediately broke the bank – at the peak moment at night there were over 1 million gamers playing it on Steam. Cybercriminals came in, looking to cash in on the excitement, with scams that offer “free copies” while stealing personal information.
According to researchers at Kaspersky, a series of websites have gone live in a range of languages, all with URLs containing keywords like “PC”, “games” and “download.” And they all offer free purported downloads for the game.
“If the visitor clicks the [download] button, the site downloads an executable file that appears to be an installer to the computer,” researchers noted in a Monday posting. “Opening it, the user sees a menu with some inactive buttons, creating the illusion that, once installed, the app can be used to run and configure the game.”
This menu offers three options: Install, Support and Exit. Clicking Install opens a window that pretends to be installing the game – and it eventually asks for a license key. Obviously the target won’t have said key, so the process offers a convenient “Get License Key” button.
Clicking this button directs users to a website that offers the user a chance to take a survey or enter a giveaway to get the key.
“The next prompt is a set of unrelated questions, as well as requests for a phone number and email address,” according to Kaspersky. “That contact information is the likely target of the attack; contact information is useful for spamming.”
Once victims complete the survey, they receive a supposed “key” which, when entered into the fake installer, appears to start loading the game, researchers said. The fake progress is then impaired though, with a splash screen that says users are missing a dynamic link library (DLL) required to run the game. Another download link is presented, which again redirects to a survey page – and that’s where the gambit ends.
Similar schemes can be more dangerous – cybercriminals could ask for money in exchange for the key. Or they could use the same routine to install malware.
This year there was several thousand infections attempts through fake Cyberpunk 2077 downloads.
Hackers hide web skimmer inside a website’s CSS files
Over the years, cybercrime groups have used quite an assortment of tricks to hide credit card stealing code inside various locations of an online store for the purpose of avoiding getting detected.
But while this technique of loading skimmer code by using CSS rules as proxies is certainly innovative, this is not what shop owners and online shoppers should be worried about. The majority of skimming attacks happen on the server, where it is completely invisible. About 65% of our forensic investigations this year found a server side skimmer that was hidden in the database, PHP code or a Linux system process. The simplest way shoppers can protect themselves and their customers from web skimmer attacks is to use virtual cards designed for one-time payments.
Virtual cards allow shoppers to place a fixed sum of money inside a virtual debit card that expires after one transaction or a small period of time. In case the card’s details get stolen by attackers, the card data is useless once the virtual card expires.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. Critical remote code execution fixed in PlayStation Now (Security Affairs)
2. D-Link Routers at Risk for Remote Takeover from Zero-Day Flaws (Threat Post)
3. Adrozek malware silently inject ads into search results in multiple browsers (Security Affairs)
4. Cybersecurity Firm FireEye Got Hacked; Red-Team Pentest Tools Stolen (The Hacker News)
5. Phishers bypass Microsoft 365 security controls by spoofing Microsoft.com (HelpNetSecurity)
6. Google Patches Critical Wi-Fi and Audio Bugs in Android Handsets (Threat Post)
7. Researcher Developed New Kernel-Level Exploits for Old Vulns in Windows (Dark Reading)
8. Qbot malware switched to stealthy new Windows autostart method (Bleeping Computer)
9. Hackers are selling more than 85,000 SQL databases on a dark web portal (ZDNet)
10. Russian hackers hide Zebrocy malware in virtual disk images (Bleeping Computer)