Security Center: you could take over Microsoft Teams accounts with just a .GIF file

Welcome to the next episode of the Xopero Security Center! What a story! Seeing an animation can be enough to be impacted by a cyberattack. Fortunately, Microsoft has resolved security problems in Microsoft Teams that could have been used to take over user accounts – all with the help of a simple .GIF file. But let’s start from the beginning…

GIF-based account takeover? The bug in Microsoft Teams allowed an account hijacking (now fixed)

Microsoft has resolved security problems in Microsoft Teams that could have been used in an attack chain to take over user accounts and ultimately take over an organization’s entire roster of Teams accounts – all with the help of a .GIF file.

The root of the problem. During CyberArk’s examination of the Microsoft Teams platform, the team found that every time the application was opened, the Microsoft Teams client creates a new temporary access token, authenticated via login.microsoftonline.com. Other tokens are also generated to access supported services such as SharePoint and Outlook.

Two cookies are used to restrict content access permissions, “authtoken” and “skypetoken_asm.” The Skype token was sent to teams.microsoft.com and its subdomains – two of which were found to be vulnerable to a subdomain takeover.

If an attacker can somehow force a user to visit malicious subdomains or just send an image message that causes his or her web browser to try to load the resource and deliver the cookie to the compromised subdomain (attacker’s server). And the attacker after receiving the authtoken can create a Skype token, then the attacker is able to steal the victim’s Microsoft Teams account data.

Everything happens behind the scene, so the victim remains completely clueless about the threat actor taking control of their Microsoft Teams account. The attack could also spread automatically in a worm-like fashion from one compromised account to others in the same organization.

Update: on April 20, Microsoft released a patch to mitigate the risk of similar bugs in the future.

Read more

The PhantomLance espionage campaign targeted Android users for five long years

OceanLotus, aka APT32, for years, has been spotted targeting Vietnamese citizens and dissidents and journalists, as well as industries in Germany, China, the Philippines, the US, and the UK.

Dubbed PhantomLance by Kaspersky, the campaign is centered around a complex spyware that’s distributed via dozens of apps within the Google Play official market, as well as other outlets like the third-party marketplace known as APKpure.

The attackers created several versions of the backdoor, with dozens of samples, and when an app first went up in Google Play or other app stores, it didn’t contain malware: That was added later in the form of an update after the user had installed it. That’s likely what allowed the apps to pass any app store vetting. The spyware is fairly narrow in its focus when it comes to functionality. It can gather geolocation data, call logs and contacts, and can monitor SMS activity; the malware can also gather a list of installed applications, as well as device information, such as the model and OS version. It also has the ability to execute special shell commands from the C&C server and download additional payloads on the victim’s device. Additionally in order to gain trust attackers created a fake developer profile on GitHub to appear as a legitimate app developer. 

Read more

750K decryption keys in the wild after Shade Ransomware group shut down operations

We have good news for the victims of the Shade Ransomware. The operators behind the threat have shut down their operations and released over 750,000 decryption keys.

Shade was distributed through malspam campaigns and exploit kits. Once a Windows system gets infected with this ransomware, the malicious code sets the desktop background to announce the infection. The ransomware also drops on the Desktop 10 text files, named README1.txt through README10.txt – which included instructions to contact the crooks via an email address in order to receive information on how to make the payments. But that is in the past. The Shade ransomware operators apologized for their activities… They also provided instructions on how to recover files using the decryption keys they have released. Even the source codes of the trojan were destroyed.

Read more

A simple bug can turn almost every antivirus software into a self-destructive tool

RACK911 Labs has come up with a unique but simple method of using directory junctions (Windows) and symlinks (macOS & Linux) to turn almost every antivirus software into self-destructive tools.

The symlink or symbolic link is a shortcut to another file allowing underprivileged users to perform tasks – macOS and Linux OS. With Windows ecosystem attacker can use directory junctions that link two local directories – and get that same outcome. These two conditions form the basis of race condition bugs targeting antivirus tools. According to the security researchers, these vulnerabilities exist due to the way in which most antivirus work. A standard antivirus tool runs a scan whenever the user saves a file on the hard drive. Upon detecting a malicious or suspicious file, it immediately quarantines the file to stop any potential malware execution. These scans take place using the highest privileges on the system, just like the file operations in most cases. Hence, due to the time lag between the initial scan and the removal of the malicious file, the malware may execute.

The researchers were able to easily delete important files related to the antivirus software that rendered it ineffective and even delete key operating system files that would cause significant corruption requiring a full reinstall of the OS.

Update: RACK911 notified antivirus vendors and most major solutions have been fixed already.

Read more

Sophos has patched a zero-day that has been exploited to deliver malware to its XG Firewall appliances

Sophos learned about attacks targeting its XG firewall on April 22 after a suspicious field value was discovered in a device’s management interface. An investigation revealed that attackers have been exploiting a previously unknown SQL injection vulnerability to hack exposed physical and virtual firewalls. The attack was aimed at systems with the administration service or the user portal exposed to the internet. It looked like hackers were trying to exploit the security hole to download malware that would allow them to exfiltrate data from the firewall, that include:

usernames and password hashes for the local device administrators, portal admins, and user accounts set up for remote access, information about the firewall, email addresses of accounts stored on the appliance, and information on IP address allocation permissions.

Read more

Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. ‘EventBot’ comes online amidst flurry of regularly-updated banking trojans (CyberScoop)
2. Crooks target US universities with malware used by nation-state actors (Security Affairs)
3. BazarBackdoor: A Malware similar to Trickbot, targets Corporates (e Hacking News)
4. Warning! Fake Zoom “HR meeting” emails phish for your password (Naked Security)
5. Microsoft warns of malware-laced ‘John Wick 3,’ ‘Contagion’ movie torrents (CyberScoop)
6. Rogue affiliates are running fake antivirus expiration scams (Bleeping Computer)
7. Google discloses zero-click bugs impacting several Apple operating systems (ZDNet)
8. Auction of World’s Priciest Whisky Ruined by Cyber-Attack (Infosecurity Magazine)
9. Exclusive: Scammers using fake WHO Bitcoin wallet to steal donation (Hack Read)
10. WordPress plugin bug lets hackers create rogue admin accounts (Bleeping Computer)