This Week in Cyber 24th May 2024

Analyst Insight

This week in Cyber Security, Microsoft have made strides in implementing their "Secure Future Initiative". Microsoft have announced plans to deprecate NTLM as well as start the sunsetting process for VBScript. This is all in the name of security since many of these technologies have been out paced by newer alternatives and present methods for exploitation. Additionally, a critical vulnerability has been found in the popular Fluent Bit logging solution, this will affect many large organisations and likely all major cloud providers.

Furthermore, the Grandoreiro banking trojan has returned with a bang, widening the scope of their operations to more than 60 countries after attempts to thwart the group were unsuccessful. Finally, a new malware strain has been identified as GHOSTMINER, what separates this malware from others is the sophisticated and concerning ability to avoid and persist past common security solutions such as EDRs.

Grandoreiro Banking Trojan Is Back And Bigger

After being the target of Brazilian authorities attempts to bring down their infrastructure, the Grandoreiro Banking Trojan has started a new campaign since March 2024. This iteration of the trojan includes an updated date based DGA creating a huge number of potential permutations for the C2 domain. It’s also armed with new string decryption techniques and the ability to use compromised Microsoft Outlook clients to further their phishing.

Grandoreiro originally targeted mostly Latin American and Romance language speaking European countries like Spain and Portugal. Since the Brazilian attempt to halt their operations, they seem to have broadened their horizons, operating in more than 60 countries and with over 1,500 banks having reported being targeted.

Windows to Deprecate NT Lan Manager

Microsoft has announced plans to deprecate NT LAN Manager (NTLM) in Windows 11 by late 2024, transitioning to Kerberos for authentication to address NTLM's security weaknesses, including susceptibility to relay attacks and lack of support for modern cryptographic methods. This change is part of a broader effort to enhance security in Windows 11, which includes enabling Local Security Authority (LSA) protection by default, utilising virtualisation-based security (VBS) for Windows Hello, and upgrading Smart App Control with AI to block untrusted or malware-laden applications.

Additionally, Microsoft is introducing Trusted Signing to simplify app signing, implementing Win32 app isolation to limit damage from compromised applications, and deploying Windows Protected Print Mode (WPP) to secure the printing stack.

Microsoft has recently been under criticism for its security practices, particularly following breaches by nation-state actors. With a renewed focus on enhancing security measures and deprecating weak cryptographic standards. They are also opting to improve their administrative tools in an effort to bolster Windows 11's overall resilience. Dubbed the 'Secure Future Initiative', the latest approach by Microsoft has been made to prove their dedication in pursuing a more proactive approach to evolving threats.

Critical Fluent Bit Vulnerability

A critical flaw found in Fluent Bit, a very popular logging and metrics solution has left many major organisations exposed. The vulnerability can be exploited to cause denial-of-service and remote code execution attacks. Discovered by Tenable researchers, the CVE dubbed “Linguistic Lumberjack”.

While many different attacks can be achieved with this CVE, Tenable researchers have stated they suspect in the immediate future DoS attacks and information leaks are most likely to be accomplished. Fixes have already been committed to Fluent Bits main branch; however, it won’t be in an official release until version 3.0.4 is shipped. The vulnerability affects all major cloud providers, as well as some major IT organisations that are reliant on Fluent Bit.

Microsoft Sunsets VBScript

Keeping up with other deprecation announcements, on Wednesday Microsoft announced its plans to phase out VBScript in favour of more advanced alternatives such as JavaScript and PowerShell. The phase out is in line with Microsoft’s “Secure Future Initiative” talked about earlier, as VBScript is commonly abused by threat actors.

The phase out will follow a multi-step plan in which VBScript will first become an optional addition to Windows 11 with the intention of being completely removed in the future. This first step is expected to kick off in the second half of 2024. The second step is earmarked for 2027 in which VBScript will remain optional, just not enabled by default. There is an undetermined date for its final sunset some time after.

GHOSTMINER, Malware Built to Evade EDR’s

A new malware strain has been identified as GHOSTMINER by cyber security researchers. The malware is not as threatening as some in terms of impact, as its main goal and priority is to install and maintain persistence for the well-known Crypto miner XMRig. However, what is notable and marks a concerning change in priority for threat actors, is its stealth abilities. GHOSTMINER has been purpose built to evade security solutions, particularly EDRs. Using what’s known as a Bring Your Own Vulnerable Driver (BYOVD) attack, GHOSTMINER can terminate and delete EDR agents which would likely detect and prevent the infamous XMRig miner from being deployed. The malware has a surprising amount of redundancy and contingency plans to deploy itself, including freeing space to ensure it can install itself. The malware also attempts to disable Microsoft Defender Antivirus and clear some event logs.

The concerning level of sophistication for what appears to be a simple cryptocurrency miner warrants attention. This malware discovery marks a noticeable increase in the usage of BYOVD and other such attack methodologies. BYOVD takes advantage of the fact that drivers run at the most privileged level of operating systems, Ring 0. While measures have been put in place to stop BYOVD like Microsoft’s Vulnerable Driver Blocklist, the list is only updated once or twice a year.