INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Supervision and Verification in Vulnerability Management
Published: 2023-06-15
Last Updated: 2023-06-15 03:57:00 UTC
by Yee Ching Tok (Version: 1)
Managing vulnerabilities in operating systems and software can be challenging and even contentious. Opinions are divided among industry peers – some argue that security updates would be unnecessary if developers were held accountable for security vulnerabilities. In contrast, others assert that updating systems as soon as possible (where applicable) was a critical best practice for users. Most clients in my consulting job adopt some form of vulnerability management paradigm (quarterly vulnerability assessments and addressing discovered vulnerabilities to automated vulnerability management programs where identified vulnerabilities are addressed as soon as possible). I noticed some peculiarities while providing consultancy services to a discerning customer's automated vulnerability management program. The automated vulnerability management product will not be discussed here as it is neither the main focal point nor a debate on whether the product is trustworthy. Instead, it was serendipitous and stemmed from just a simple drive to appropriately mitigate identified vulnerabilities in all systems. Together with the client's management support, we worked together to address the vulnerability in question while ensuring it was fully mitigated.
It all started when a new low-risk vulnerability was identified – the Adobe Acrobat Reader software installed on the client's assets (a Windows enterprise environment with a heavy majority of Windows 10 Version 22H2 clients) were identified to have JavaScript enabled. Typically, there is no business need for JavaScript to be enabled in Adobe Reader, especially if users only need to view documents and occasionally fill in simple form fields. As such, the vulnerability management tool advised that JavaScript be disabled and even provided steps to do so. In this case, the recommended action was to set the registry key HKLM\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\bDisableJavaScript to the REG_DWORD value of 1. The change management team approved the configuration change, and the system administrator was tasked to implement the hardening configuration.
Read the full entry: https://isc.sans.edu/diary/Supervision+and+Verification+in+Vulnerability+Management/29952/
Malicious Code Can Be Anywhere
Published: 2023-06-20
Last Updated: 2023-06-20 07:42:18 UTC
by Xavier Mertens (Version: 1)
My Python hunting rules reported some interesting/suspicious files. The files are named with a “.ma” extension. Some of them have very low VT scores. For example, the one with a SHA256 dc16115d165a8692e6f3186afd28694ddf2efe7fd3e673bd90690f2ae7d59136 has a score of 15/59.
The “.ma” extension refers to animation projects created by Autodesk Maya, a 3D modeling and animation program[1]. The files are typically ASCI files that describe the 3D scenes. I’ve absolutely, zero-knowledge of 3D software but after some Google searches, it seems that Maya supports Python![2]. Like the documentation says:
“Python scripting can be used for many tasks in Maya, from running simple commands to developing plug-ins, and several different Maya-related libraries are available targeting different tasks.”
What could go wrong? If attackers (ab)use VBA macros in Microsoft Office, why not (ab)use Python in Maya? I found a reference to this type of malware back in 2020 when people discovered some “strange behaviors” in .ma files.
Read the full entry: https://isc.sans.edu/diary/Malicious+Code+Can+Be+Anywhere/29964/
Analyzing a YouTube Sponsorship Phishing Mail and Malware Targeting Content Creators
Published: 2023-06-21
Last Updated: 2023-06-21 00:02:43 UTC
by Yee Ching Tok (Version: 1)
One of our Stormcast listeners, Kevin, wrote in to share that his friend Jon had received a direct spear-phishing e-mail. We requested for more information, and Jon kindly provided us with the corresponding e-mails and data to analyze. The spear-phishing e-mail sent to Jon masqueraded as an individual representing NordVPN (note: NordVPN had published an advisory about scammers posing as NordVPN representatives earlier this year) and enquired about the possibility of a YouTube sponsorship/collaboration with his YouTube channel. I took the liberty to examine the phishing e-mail and its associated artifacts, noting the details I observed from my analysis.
I first examined the e-mail headers, noting the observation of the mail.ru header in the X-Mailer field. (with reference to Figure 1). The e-mail address that the adversary used was collaboration@nordvpn-media[.]com, which had a very close domain name to the original domain name (nordvpnmedia[.]com) that NordVPN had stated to be genuine.
Read the full entry: https://isc.sans.edu/diary/Analyzing+a+YouTube+Sponsorship+Phishing+Mail+and+Malware+Targeting+Content+Creators/29966/