A Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files Hostage
In Microsoft 365, a “dangerous” function has been discovered that could potentially be exploited by a malicious actor to launch attacks on cloud infrastructure and ransom files.
Proofpoint said in a report that leading cloud ransomware attacks allow users to launch file-encrypting malware to “encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups, or a decryption key from the attacker”. Several methods can be used to set up the infection sequence, including Microsoft APIs, command-line interface (CLI) scripts, and PowerShell scripts, the enterprise security firm said.
An essential component of the attack is a Microsoft 365 feature called AutoSave, which creates copies of older versions of files whenever users edit a file stored on OneDrive or SharePoint Online.
By gaining unauthorized access to a target user’s SharePoint Online or OneDrive account, the attacker can then exfiltrate and encrypt files. Three of the most common methods are to breach an account directly via phishing or brute-force attacks, trick a user into authorizing an OAuth application from a rogue third-party, or hijack a logged-in user’s web session.
Recommended Mitigation Action
- Password policies should be tailored to your organization and strong and multi-factor authentication (MFA) should be mandatory.
- Limit the download of large amounts of data to unmanaged devices.
- Maintain periodic external backups of cloud files containing sensitive information.
- Take precautions when clicking on links to websites, opening unknown file attachments, and accepting file transfers.
New Windows zero-day vulnerability ‘DogWalk’ gets unofficial patches
As Microsoft is declining to patch the two-year old directory traversal vulnerability in every version of windows, the security vender ‘0patch’ has released free unofficial patches for this vulnerability. DogWalk is a path traversal flaw within Microsoft’s Support Diagnostic Tool that allows attackers to copy an executable into the Windows Startup Folder if a victim opens up a maliciously crafted ‘.diagcab’ file. This gives the attacker persistence on an asset as it automatically runs on each start-up of the asset which is useful for malware to propagate and create backdoors.
What makes this vulnerability dangerous is that these file types are ignored by Windows when opening and do not give a warning due to including a Mark-of-the-Web (MOTW). These files are also downloaded by all major browsers simply by visiting a website. This could lead to a mis-click of the downloaded file or someone checking what the file is in the downloads folder, leading to the deployment of a malicious executable.
This vulnerability affects all Windows Versions, from Windows 7 and Server 2008 to the latest release, Windows 11 and Server 2022.
Recommended Mitigation Strategies
As Microsoft is declining to release patches for this zero-day exploit, CTRL Group recommends using 0patch which has released free but unofficial patches for most affected Windows versions. Please visit their website and create account to install the 0patch agent, once installed launching the agent will apply the patches. Please follow this video if you need further assistance.
Atlassian Releases Patch for Confluence Zero-Day Flaw (CVE-2022-26134)
Atlassian on rolled out fixes to address a critical security flaw affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.
Tracked as CVE-2022-26134, the issue is similar to CVE-2021-26084, another security flaw the Australian software company patched in August 2021. Both relate to a case of Object-Graph Navigation Language (OGNL) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.
An attacker could exploit this flaw by sending a specially crafted request to a vulnerable Confluence Server or Data Center instance that is publicly accessible over the internet. Successful exploitation would allow an attacker to execute code remotely, which could result in full system takeover.
The newly discovered vulnerability impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected.
CTRL Group recommends patching/updating to the latest versions of Confluence Server and Data Center that have been patched for this vulnerability. The issue has been resolved in the following versions: