All of us at Tripwire’s Vulnerability Research and Exposure Team (VERT) are constantly looking for interesting stories and developments in the world of information security. These are the cybersecurity news that caught our attention the most during the week of June 6, 2022. I have also included some comments on these stories.
Another Nation-State Actor Exploits Microsoft Follina to Attack European and US Entities
A nation-state actor is attempting to exploit the Follina flaw in a recent wave of attacks targeting government entities in Europe and the US, reports security issues. The issue affects multiple versions of Microsoft Office, including Office, Office 2016, and Office 2021.
Darlene Hibbs | Security Researcher at Tripwire
The recently revealed Day 0 in Microsoft Support Diagnostic Tool (MSDT), CVE-2022-30190, dubbed Follina, is being actively exploited by a nation-state actor to attack government entities via malicious Word documents. Day 0 can be exploited via a Word document and allows remote code execution with minimal user interaction. It is possible to exploit this vulnerability without the user having to open the document, which bypasses the protections provided by Office’s Protected View feature to limit code execution. To mitigate the risk of the vulnerability, it is recommended that you delete the registry keys related to MSDT.
Linux botnets now exploit critical Atlassian Confluence bug
Several botnets are now using exploits targeting a critical remote code execution (RCE) vulnerability to infect Linux servers running unpatched Atlassian Confluence Server and Data Center installations. computer beep notes that successful exploitation of this flaw (tracked as CVE-2021-26084) allows unauthenticated attackers to create new administrator accounts, execute commands, and ultimately take server control remotely to Internet-exposed servers. back door.
ANDRES SWOBODA | Senior Security Researcher at Tripwire
CVE-2021-26084 has been actively exploited in the wild since the proof of concepts release. This vulnerability allows attackers to remotely execute code on a vulnerable system. The vulnerability has been seen in the Kinsing, Hezb, and Dark IoT botnets.
CVE-2022-26134 is another vulnerability that allows attackers to execute arbitrary code on systems. This vulnerability had a proof of concept released and is known to be actively exploited. Since then, Atlassian has released fixed versions and a workaround for systems that cannot be upgraded.
Contaminated CCleaner Pro Cracker spreads via Black Seo campaign
Threat actors spread information-stealing malware via the search results of a pirated copy of Windows optimization program CCleaner Pro, Security Affairs noted in June 9. Avast researchers discovered the malware campaign, tracked as FakeCrack.
ANDRES SWOBODA | Senior Security Researcher at Tripwire
Pirated copies of CCleaner Pro have been used to steal information from users. Cracked versions of the product infected systems with malware that collected sensitive information. This malware sets up a proxy and then sends data to malicious users. To resolve the proxy, you can delete the AutoConfigURL registry key in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Pirated software is known to spread malicious content. Users should protect themselves by using legitimate copies of software.