INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Another Script-Based Ransomware
In the past, I already found some script-based ransomware samples written in Python or Powershell[1]. The last one I found was only a “proof-of-concept” (my guess) but it demonstrates how easy such malware can be developed and how they remain undetected by most antivirus products.
I found a malicious VisualBasic script that attracted my attention. The SHA256 is 8c8ed4631248343f8732a83193828471e005900fbaf144589d57f6900b9c8996 and its VT score is only 3/57![2]. It's no flagged as malicious but, even more, it’s reported as a simple mallicious script.
The obfuscation technique used is simple but pretty effective: The VBS creates a bunch of environment variables that contains encrypted PowerShelll code:
Set osi = CreateObject("Wscript.shell")
Set wev = osi.Environment("Process")
wev("XXX0") = "JGVuY3J5cHRlZD0iNzY0OTJ….”
wev("XXX1") = "QXhBRElBTndCbUFHUUFNQUExQURJQVpnQX…”
The Environment() parameter specifies the location of the environment variable. In this case, “Process” means that environment variables will be passed to child processes (and not stored in the registry). In this case, it will make the variables available to the second stage, the PowerShell script. In total, 80 “XXX” variables are created. The code to launch the next stage is obfuscated in a long string...
Read the entire diary entry at: https://isc.sans.edu/diary/Another+ScriptBased+Ransomware/29234/
Microsoft November 2022 Patch Tuesday
This month we got patches for 68 vulnerabilities. Of these, 10 are critical, 1 was previously disclosed, and 4 are already being exploited, according to Microsoft.
The previously disclosed (and exploited) vulnerability is a security feature bypass on Windows Mark of the Web (MOTW) (CVE-2022-41091). According to the advisory, an attacker can craft a malicious file that would evade MOTW defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. The CVSS for this vulnerability is 5.4.
Another exploited vulnerability is a Remote Code Execution (RCE) on Windows Script Languages (CVE-2022-41128). This vulnerability impacts JScript9 language. To exploit this vulnerability, an attacker would have to convince users to visit a specially crafted server share or website typically through an enticement in an email or chat message. In other words, user interaction is required, but it would not be hard for an attacker to accomplish this kind of interaction which makes this vulnerability worthy of special attention. The CVSS for this vulnerability is 8.8.
Among critical vulnerabilities, there is an elevation of privilege vulnerability affecting the Microsoft Exchange Server (CVE-2022-41080). The CVSS for this vulnerability is the highest for this month: 8.8. The advisory says that this vulnerability is not exploited, but marks it as “Exploitation More Likely”.
Last but not least, there is an important elevation of privilege vulnerability affecting Microsoft Windows Sysmon (CVE-2022-41120) that you should also dedicate special attention to. An attacker who successfully exploited this vulnerability could gain administrator privileges by manipulating information on the Sysinternals services. The CVSS for this vulnerability is 7.8.
See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com/
Read the entire diary entry at: https://isc.sans.edu/diary/Microsoft+November+2022+Patch+Tuesday/29230/
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Another Script-Based Ransomware
In the past, I already found some script-based ransomware samples written in Python or Powershell[1]. The last one I found was only a “proof-of-concept” (my guess) but it demonstrates how easy such malware can be developed and how they remain undetected by most antivirus products.
I found a malicious VisualBasic script that attracted my attention. The SHA256 is 8c8ed4631248343f8732a83193828471e005900fbaf144589d57f6900b9c8996 and its VT score is only 3/57![2]. It's no flagged as malicious but, even more, it’s reported as a simple mallicious script.
The obfuscation technique used is simple but pretty effective: The VBS creates a bunch of environment variables that contains encrypted PowerShelll code:
Set osi = CreateObject("Wscript.shell")
Set wev = osi.Environment("Process")
wev("XXX0") = "JGVuY3J5cHRlZD0iNzY0OTJ….”
wev("XXX1") = "QXhBRElBTndCbUFHUUFNQUExQURJQVpnQX…”
The Environment() parameter specifies the location of the environment variable. In this case, “Process” means that environment variables will be passed to child processes (and not stored in the registry). In this case, it will make the variables available to the second stage, the PowerShell script. In total, 80 “XXX” variables are created. The code to launch the next stage is obfuscated in a long string...
Read the entire diary entry at: https://isc.sans.edu/diary/Another+ScriptBased+Ransomware/29234/
Microsoft November 2022 Patch Tuesday
This month we got patches for 68 vulnerabilities. Of these, 10 are critical, 1 was previously disclosed, and 4 are already being exploited, according to Microsoft.
The previously disclosed (and exploited) vulnerability is a security feature bypass on Windows Mark of the Web (MOTW) (CVE-2022-41091). According to the advisory, an attacker can craft a malicious file that would evade MOTW defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. The CVSS for this vulnerability is 5.4.
Another exploited vulnerability is a Remote Code Execution (RCE) on Windows Script Languages (CVE-2022-41128). This vulnerability impacts JScript9 language. To exploit this vulnerability, an attacker would have to convince users to visit a specially crafted server share or website typically through an enticement in an email or chat message. In other words, user interaction is required, but it would not be hard for an attacker to accomplish this kind of interaction which makes this vulnerability worthy of special attention. The CVSS for this vulnerability is 8.8.
Among critical vulnerabilities, there is an elevation of privilege vulnerability affecting the Microsoft Exchange Server (CVE-2022-41080). The CVSS for this vulnerability is the highest for this month: 8.8. The advisory says that this vulnerability is not exploited, but marks it as “Exploitation More Likely”.
Last but not least, there is an important elevation of privilege vulnerability affecting Microsoft Windows Sysmon (CVE-2022-41120) that you should also dedicate special attention to. An attacker who successfully exploited this vulnerability could gain administrator privileges by manipulating information on the Sysinternals services. The CVSS for this vulnerability is 7.8.
See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com/
Read the entire diary entry at: https://isc.sans.edu/diary/Microsoft+November+2022+Patch+Tuesday/29230/