This Week in Cyber 15th March 2024

Analyst Insight

This week's cyber news has shed light on various developments: emerging phishing techniques leveraging RAR and BZ2 archives, ongoing legal disputes involving the NSO Group and Meta over spyware allegations, vulnerabilities within CISA systems despite prior warnings, and the release of Microsoft's monthly security update. Additionally, we've delved into the debate surrounding the necessity of QR codes within organisations. While QR codes offer convenience in directing users to pertinent information, concerns about potential security risks suggest that their adoption may outweigh their benefits. Furthermore, Microsoft's Q1 report indicates a positive trend in cybersecurity, with fewer patches released in 2024 compared to previous years, reflecting improved security practices in product and services releases year on year.

Malware Distribution Technique: Phishing Emails Leveraging RAR and BZ2 Archives

The threat actor Blind Eagle has been observed using a loader malware named Ande Loader to distribute remote access trojans (RATs) like Remcos RAT and NjRAT. Targeting Spanish-speaking users in the manufacturing industry in North America, the attacks take the form of phishing emails. Blind Eagle, also known as APT-C-36, is financially motivated and has a history of cyber attacks primarily in Colombia and Ecuador, delivering various RATs including AsyncRAT, BitRAT, Lime RAT, NjRAT, Remcos RAT, and Quasar RAT. The latest findings show an expansion of the threat actor's targeting tactics, utilising phishing emails with RAR and BZ2 archives to activate the infection chain. Password-protected RAR archives contain a malicious VBScript file that establishes persistence in the Windows Startup folder and launches Ande Loader, which then loads the Remcos RAT payload. Alternatively, a BZ2 archive containing a VBScript file is distributed via a Discord CDN link, dropping NjRAT instead of Remcos RAT. Blind Eagle employs crypters developed by individuals named Roda and Pjoao1578, with one of Roda's crypters hosting additional malware used in the campaign. Additionally, SonicWall has revealed details about DBatLoader, another loader malware family utilising a vulnerable driver associated with RogueKiller AntiMalware software to terminate security software and deliver Remcos RAT.

QR Codes: Is Risk Worth the Convenience?

It has been know for some time that QR codes can be a source of deception. All the way back in 2022 the FBI released a public service announcement addressing the risks associated with QR codes, and how malicious individuals could be using them to steal credentials and financial info. 

Just this week the Italian Postal Police issued an alert to warn against insurance scams. By masquerading as genuine insurance organisations they mail false offers to victims offering them very competitive rates. After negotiation on the policy a QR code is provided, supposedly associated with their account and the insurance agency. A popular service in some countries utilise QR codes to issue and accept electronic payments. Through the trust of these accepted services the criminals can extort money from a victim, with the victim believing they are paying for a genuine insurance policy. In actuality some sly individual has pocketed the money and run off.

While this is a specific example where the use of a trusted service is being abused, the question remains. Why are QR codes trusted? By all logic, QR codes are a perfect place for scammers to hide and obfuscate their potential payload. Unlike a URL, the data in a QR code is not immediately human readable, however for some reason users often implicitly trust the contents of a QR code. We now see QR codes everywhere, particularly in marketing. They exist on clothing labels, menus, food packaging and advertising. How hard is it for an opportunistic criminal to slap stickers down on the table at your restaurant that simply sends you to a fake site requesting payment for your food bill? Or slide a missed delivery notification through your mailbox and request a redelivery fee through a QR code? In most cases the legitimate QR codes redirect to external payment services anyway, how would your average customer identify the legitimacy of the service? In most cases they don't, they just trust. Perhaps it might be time to re-evaluate the convenience we gain over the security we lose when it comes to QR codes.

NSO Group Ordered to Hand Over Pegasus Spyware Code in Meta Legal Battle

In a significant ruling, a U.S. judge has commanded the Israeli spyware vendor, NSO Group, to disclose the source code for its Pegasus Spyware and other products to Meta. This order is a part of Meta’s ongoing lawsuit against NSO Group, which was initiated in October 2019. The lawsuit was triggered when NSO Group’s spyware was reportedly used to target around 1,400 mobile devices, including those belonging to two dozen Indian activists and journalists, during April and May. The attacks leveraged a zero-day flaw (CVE-2019-3568, CVSS score: 9.8) in WhatsApp’s voice call feature to deliver Pegasus, even when the calls were not answered.

According to the court documents, NSO Group has been instructed to “produce information concerning the full functionality of the relevant spyware.” This specifically pertains to a period of one year before the alleged attack to one year after the alleged attack (i.e., from April 29, 2018 to May 10, 2020). However, the company is not required to provide specific details about its server architecture at this time. Despite this significant legal victory for Meta, NSO Group has been exempted from revealing the identities of its clients. This development occurs amidst increasing scrutiny of Meta from privacy and consumer groups in the European Union over its “pay or okay” subscription model.

Microsoft's Monthly Security Update: Patching Critical Flaws and Privilege Escalation Vulnerabilities

Microsoft released its monthly security update, addressing 61 security flaws across its software. Two critical issues affecting Windows Hyper-V were fixed, capable of causing denial-of-service (DoS) and remote code execution. Of the vulnerabilities, two are Critical, 58 are Important, and one is Low in severity. Six flaws were tagged with an "Exploitation More Likely" assessment, though none were publicly known or under active attack. Additionally, 17 security flaws were patched in Microsoft's Chromium-based Edge browser. The update addressed privilege escalation flaws in various services, including Azure Kubernetes Service Confidential Container, Windows Composite Image File System, and Authenticator. One notable vulnerability is a privilege escalation bug in the Print Spooler component that could allow an attacker to obtain SYSTEM privileges. Another critical issue fixed was a remote code execution flaw in Exchange Server. The highest-rated vulnerability, CVE-2024-21334, concerned remote code execution affecting the Open Management Infrastructure (OMI). Despite the significant number of patches, the first quarter of Patch Tuesday in 2024 saw fewer CVEs patched compared to previous years.

CISA Systems Compromised

Two of CISA's systems were breached by hackers that exploited vulnerabilities in Ivanti products. This comes weeks after CISA not only previously highlighted these vulnerabilities, but instructed federal agencies to remove Ivanti software. Whilst the impact was limited to only these two systems, which were swiftly taken offline. CISA claims that their operations are still functioning perfectly fine, with no impact felt by users or employees. CISA has yet to state, or specify, if any data has been accessed or stolen by the hackers. As they continue to modernise, we're reminded that even the industry leaders are still vulnerable to ambitious threat actors.