cyble.com
Open in
urlscan Pro
192.0.78.152
Public Scan
Submitted URL: https://blog.cyble.com/2022/05/31/new-zero-day-exploit-spotted-in-the-wild/'
Effective URL: https://cyble.com/blog/new-zero-day-exploit-spotted-in-the-wild/
Submission: On July 18 via api from TR — Scanned from DE
Effective URL: https://cyble.com/blog/new-zero-day-exploit-spotted-in-the-wild/
Submission: On July 18 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
POST https://wordpress.com/email-subscriptions
<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" data-cb-wrapper="true">
<div class="wp-block-jetpack-subscriptions__form-elements">
<p id="subscribe-email">
<label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Type your email… </label>
<input required="required" type="email" name="email" style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 50px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field.">
</p>
<p id="subscribe-submit">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="221651828">
<input type="hidden" name="source" value="https://cyble.com/blog/new-zero-day-exploit-spotted-in-the-wild/">
<input type="hidden" name="sub-type" value="subscribe-block">
<input type="hidden" name="app_source" value="atomic-subscription-modal-lo">
<input type="hidden" name="redirect_fragment" value="subscribe-blog">
<input type="hidden" name="lang" value="en_US">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="4881ce1db6"><input type="hidden" name="_wp_http_referer" value="/blog/new-zero-day-exploit-spotted-in-the-wild/"><input type="hidden" name="post_id" value="11155"> <button type="submit"
class="wp-block-button__link" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 50px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe <span class="jetpack-memberships-spinner">
<svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
<path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
</svg></span></button>
</p>
</div>
</form><form id="jp-carousel-comment-form" data-cb-wrapper="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Cyble recognized in Forrester's Attack Surface Management Solutions Landscape
Report Q2.2024. Download Now
Skip to content
* New Malware Campaign Abusing RDPWrapper and Tailscale to Target
Cryptocurrency Users
Report an Incident
Talk to Sales
We are Hiring!
Login
Login
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* Cyble VisionSee Cyble in Action
Award-winning cyber threat intelligence platform, designed to provide
enhanced security through real-time intelligence and threat detection.
* Cyble Hawk
Protects sensitive information and assets from cyber threats with its
specialized threat detection and intelligence capabilities built for
federal bodies.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Odin by CybleNew
The most advanced internet-scanning tool in the industry for real-time
threat detection and cybersecurity
* The Cyber ExpressSubscribe
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Cyble has an update that enhances ASM, CTI and more...
Menu Toggle
* Schedule a Demo
* SolutionsMenu Toggle
* Detect > Validate > CloseMenu Toggle
* Attack Surface Management
Ensure digital security by identifying and mitigating threats with
Cyble's Attack Surface Management
* Brand Intelligence
Comprehensive protection against online brand abuse, including brand
impersonation, phishing, and fraudulent domains.
* Cyber Threat Intelligence
Gain insights and enhance your defense with AI-driven analysis and
continuous threat monitoring
* Menu ItemMenu Toggle
* Dark Web Monitoring
Stay vigilant and ahead of cybercriminals with Cyble's comprehensive
Dark Web Monitoring.
* Vulnerability Management
Advanced scanning, risk evaluation, and efficient remediation strategies
to protect against cyber threats.
* Takedown and Disruption
Combat online fraud and cybercrime by removing fraudulent sites and
content, and disrupting malicious campaigns with #1 takedown services by
Cyble.
* Solutions by Industry
Menu Toggle
* Healthcare & Pharmaceuticals
* Financial Services
* Retail and CPG
* Technology Industry
* Educational Platform
* Solutions by Role
Menu Toggle
* Information Security
* Corporate Security
* Marketing
* Why Cyble?Menu Toggle
* Compare Cyble
Learn why Cyble is a key differentiator when it comes to proactive
cybersecurity.
Menu Toggle
* Industry Recognition
* Customer Stories
* ResourcesMenu Toggle
* Blog
Discover the latest in cybersecurity with Cyble's blog, featuring a wealth
of articles, research findings, and insights. CRIL is an invaluable
resource for anyone interested in the evolving world of cyber threats and
defenses, offering expert analysis and updates.
Menu Toggle
* Thought Leadership
* Events
Conferences, Webinars, Training sessions and more…
* Threat AssessmentFree
* SAMA Compliance
* Knowledge Hub
Cyble's Knowledge Hub is a central resource for current cybersecurity
trends, research, and expert opinions.
Menu Toggle
* Case Studies
Dive into Cyble's case studies to discover real-world applications of
their cybersecurity solutions. These studies provide valuable insights
into how Cyble addresses various cyber threats and enhances digital
security for different organizations.
* Research Reports
* Whitepapers
* Threat Actor Profiles
* Research Reports
* CompanyMenu Toggle
* Our Story
Learn about Cyble's journey and mission in the cybersecurity landscape.
Menu Toggle
* Leadership Team
Meet our leadership team.
* CareersWe are hiring!
Explore a career with Cyble and contribute to cutting-edge cybersecurity
solutions. Check out Cyble's career opportunities.
Menu Toggle
* Press
* PartnersMenu Toggle
* Cyble Partner Network (CPN)
* Partner Login
* Become a PartnerRegister
Schedule a Demo
Schedule a Demo
Main Menu
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* Cyble VisionSee Cyble in Action
Award-winning cyber threat intelligence platform, designed to provide
enhanced security through real-time intelligence and threat detection.
* Cyble Hawk
Protects sensitive information and assets from cyber threats with its
specialized threat detection and intelligence capabilities built for
federal bodies.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Odin by CybleNew
The most advanced internet-scanning tool in the industry for real-time
threat detection and cybersecurity
* The Cyber ExpressSubscribe
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Cyble has an update that enhances ASM, CTI and more...
Menu Toggle
* Schedule a Demo
* SolutionsMenu Toggle
* Detect > Validate > CloseMenu Toggle
* Attack Surface Management
Ensure digital security by identifying and mitigating threats with
Cyble's Attack Surface Management
* Brand Intelligence
Comprehensive protection against online brand abuse, including brand
impersonation, phishing, and fraudulent domains.
* Cyber Threat Intelligence
Gain insights and enhance your defense with AI-driven analysis and
continuous threat monitoring
* Menu ItemMenu Toggle
* Dark Web Monitoring
Stay vigilant and ahead of cybercriminals with Cyble's comprehensive
Dark Web Monitoring.
* Vulnerability Management
Advanced scanning, risk evaluation, and efficient remediation strategies
to protect against cyber threats.
* Takedown and Disruption
Combat online fraud and cybercrime by removing fraudulent sites and
content, and disrupting malicious campaigns with #1 takedown services by
Cyble.
* Solutions by Industry
Menu Toggle
* Healthcare & Pharmaceuticals
* Financial Services
* Retail and CPG
* Technology Industry
* Educational Platform
* Solutions by Role
Menu Toggle
* Information Security
* Corporate Security
* Marketing
* Why Cyble?Menu Toggle
* Compare Cyble
Learn why Cyble is a key differentiator when it comes to proactive
cybersecurity.
Menu Toggle
* Industry Recognition
* Customer Stories
* ResourcesMenu Toggle
* Blog
Discover the latest in cybersecurity with Cyble's blog, featuring a wealth
of articles, research findings, and insights. CRIL is an invaluable
resource for anyone interested in the evolving world of cyber threats and
defenses, offering expert analysis and updates.
Menu Toggle
* Thought Leadership
* Events
Conferences, Webinars, Training sessions and more…
* Threat AssessmentFree
* SAMA Compliance
* Knowledge Hub
Cyble's Knowledge Hub is a central resource for current cybersecurity
trends, research, and expert opinions.
Menu Toggle
* Case Studies
Dive into Cyble's case studies to discover real-world applications of
their cybersecurity solutions. These studies provide valuable insights
into how Cyble addresses various cyber threats and enhances digital
security for different organizations.
* Research Reports
* Whitepapers
* Threat Actor Profiles
* Research Reports
* CompanyMenu Toggle
* Our Story
Learn about Cyble's journey and mission in the cybersecurity landscape.
Menu Toggle
* Leadership Team
Meet our leadership team.
* CareersWe are hiring!
Explore a career with Cyble and contribute to cutting-edge cybersecurity
solutions. Check out Cyble's career opportunities.
Menu Toggle
* Press
* PartnersMenu Toggle
* Cyble Partner Network (CPN)
* Partner Login
* Become a PartnerRegister
TRENDING
TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare |
BFSITARGETED COUNTRIES -> United States | Russian Federation | China | United
Kingdom | GermanyTARGETED REGIONS -> North America (NA) | Europe & UK | Asia &
Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand
(ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 |
7bdbd180c081fa63ca94f9c22c457376 | bbcf7a68f4164a9f5f5cb2d9f30d9790 |
0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 |
b4440eea7367c3fb04a89225df4022a6CVEs -> CVE-2024-21887 | CVE-2023-46805 |
CVE-2017-11882 | CVE-2024-21893 | CVE-2021-44228TECHNIQUES -> T1082 | T1140 |
T1486 | T1083 | T1105TACTICS -> TA505 | TA0011 | TA0007 | TA0005 | TA453TAGS ->
security | the-cyber-express | firewall-daily | the-cyber-express-news |
malwareTHREAT ACTORS -> Lockbit | Blackcat | Lazarus | Kimsuky |
VoltTyphoonMALWARE -> CobaltStrike | Qakbot | Icedid | Trickbot | LockbitSOURCES
-> Darkreading | Bleepingcomputer | The Cyber Express | The Hacker News |
Infosecurity Magazine
Home » Blog » New Zero–day Exploit spotted in the wild
* Annoucement, Malware, Vulnerability
* May 31, 2022
NEW ZERO–DAY EXPLOIT SPOTTED IN THE WILD
Cyble discusses a Zero-Day Exploit of the MSDT Vulnerability CVE-2022-30190, how
it can be exploited, and some workarounds to mitigate your exposure.
CVE-2022-30190 – MICROSOFT SUPPORT DIAGNOSTIC TOOL (MSDT) RCE VULNERABILITY
In a recent blog post by Microsoft, a new Zero-Day vulnerability
(CVE-2022-30190) was discussed. This vulnerability affects Microsoft Support
Diagnostic Tool (MSDT), and the blog post provides some guidance on mitigating
the impact of this vulnerability.
The post mentions that a Remote Code Execution (RCE) vulnerability present in
MSDT allows the attackers to execute arbitrary code by exploiting it. MSDT is a
diagnostic tool that collects information and sends it to Microsoft for analysis
when users encounter certain issues. Microsoft uses this information to find
solutions for the problems encountered by users.
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Country
Phone
Unlock this Content
Prior to the publication of the Microsoft blog, a security researcher, nao_sec,
found an interesting malicious document that uses a Microsoft Word external link
to load an HTML file hosted on a remote server. The HTML file further uses the
“ms-msdt” scheme to execute malicious PowerShell code. Figure 1 shows nao_sec’s
Twitter post.
Figure 1 – Researcher’s Tweet highlighting Vulnerability CVE-2022-30190
After this tweet, security researchers investigated and reproduced the exploit
using different versions of Microsoft Office. The POC is also now available on
GitHub to test the exploit, as shown in the figure below.
Figure 2 – Exploit POC
Cyble Research Labs was able to test the above POC and exploit the MSDT
vulnerability, as shown below.
Figure 3 – Exploitation of MSDT Vulnerability
Security Researcher Kevin Beaumont mentioned that the vulnerability was first
exploited in the wild over a month ago. The “invitation for an interview ” file
was spotted targeting a Russian user in the wild.
Figure 4 – Document Targeting Russian User
Kevin named this vulnerability “Follina” because the file name contains the
string “0438”, which is the telephone code for the Italian municipality of
Follina.
TECHNICAL ANALYSIS
Cyble Research Labs analyzed the sample identified by nao_sec (sha256:
a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567a ec096784).
The maldoc contains a file “document.xml.rels,” which is responsible for loading
the “RDF8421.html” file hosted in the remote server “hxxp.xmlformats.com.”
Figure 5 – Document Loads HTML File
The HTML file further executes a PowerShell command using ms-msdt schema, as
shown below.
Figure 6 – PowerShell Command
Upon execution, the PowerShell command further decodes the base64 encoded
content and performs other malicious activities.
Figure 7 – Decoded Base64 String
The PowerShell content performs the following tasks:
* Runs with a hidden window
* Terminates msdt.exe in case it is running
* Moves the “05-2022-0438.rar” file to C:\Users\public and renames it as
“1.rar”
* Checks the base64-encoded CAB file (MSCF header) inside the “1.rar” file and
saves it as “1.t”
* Decodes the CAB file “1.t” and saves it as “1.c”
* Expands “1.c” and executes the file “rgb.exe”
The file “05-2022-0438.rar” was not available for analysis; the functionality of
rgb.exe. is not fully clear at the moment.
The interesting part is that the malware leverages the ms-msdt schema to execute
malicious code. The following process chain was observed after execution.
Figure 8 – Process Chain
It’s a good idea to check the above chain to identify the exploitation. The
tracking of the msdt.exe process launched by any process like winword.exe or
excel.exe indicates the exploitation of MSDT vulnerability.
WORKAROUNDS:
Microsoft also advised users to perform the following workarounds:
DISABLING THE MSDT URL PROTOCOL:
Users are advised to disable the vulnerable MSDT URL protocol, which will, in
turn, prevent troubleshooters from being launched as links. Microsoft has
advised that users delete the registry key after taking a backup.
The figure below shows the MSDT registry key.
Figure 9 – MSDT Registry Key
DISABLING MSDT:
* Run Command Prompt as Administrator.
* To back up the registry key, execute the command “reg export
HKEY_CLASSES_ROOT\ms-msdt filename.”
* Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f.”
HOW TO UNDO THE WORKAROUND:
* Run Command Prompt as Administrator.
* To back up the registry key, execute the command “reg import filename.”
CONCLUSION
Threat Attackers are constantly looking for new techniques to target individuals
and organizations. In this case, they are leveraging the vulnerability in MSDT
to execute malicious code.
Cyble will closely monitor the MSDT vulnerability and continue to update our
readers with the latest information.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
SAFETY MEASURES NEEDED TO PREVENT MALICIOUS ATTACKS:
* Refrain from opening untrusted links and email attachments without verifying
their authenticity.
* Conduct regular backup practices and keep those backups offline or in a
separate network.
* Turn on the automatic software update feature on your computer, mobile, and
other connected devices wherever possible and pragmatic.
* Use a reputed anti-virus and Internet security software package on your
connected devices, including PC, laptop, and mobile.
USERS SHOULD TAKE THE FOLLOWING STEPS AFTER THE MALICIOUS ATTACK:
* Detach infected devices on the same network.
* Disconnect external storage devices if connected.
* Inspect system logs for suspicious events.
IMPACTS AND CRUCIALITY OF MALWARE ATTACKS:
* Loss of Valuable data.
* Loss of organization’s reliability or integrity.
* Loss of organization’s business information.
* Disruption in organization operation.
* Economic loss
INDICATORS OF COMPROMISE (IOCS)
IndicatorsIndicator TypeDescription52945af1def85b171870b31fa4782e5 MD5Docx
Exploit06727ffda60359236a8029e0b3e8a0fd11c23313SHA-1Docx
Exploit4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784SHA-256 Docx
Exploitf531a7c270d43656e34d578c8e71bc39MD5Docx
Exploit934561173aba69ff4f7b118181f6c8f467b0695dSHA-1Docx
Exploit710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfaSHA-256Docx
Exploithxxp://www.xmlformats[.]comURLC&C URL141[.]105.65.149IPC&C IP
RELATED
CVE-2022-30190 ACTIVELY EXPLOITED IN THE WILD: MSDT VULNERABILITY USED FOR
SPREADING POWERSHELL STEALER
In this case, instead of Microsoft Word files, attackers used RTF files to
download information stealer into the victim’s system.
June 3, 2022
In "Vulnerability"
ZIMBRA EMAIL VULNERABILITY (CVE-2022-37042) WEAPONIZED TO CAUSE LARGE-SCALE
COMPROMISE
Cyble Research & Intelligence Labs (CRIL) analyzes a large-scale exploitation of
about 2,700 email domains compromised through weaponized vulnerabilities.
September 9, 2022
In "Vulnerability"
MICROSOFT ZERO DAY VULNERABILITY CVE-2023-36884 BEING ACTIVELY EXPLOITED
CRIL analyzes the impact of Zero-Day Exploit for CVE-2023-36884 in cyber
espionage and ransomware operations.
July 12, 2023
In "Ransomware"
Search for your darkweb exposure
Use Cyble's Largest Dark Web Monitoring Engine to Assess Your Exposure. Make
Sure You're Aware of the Risks by Searching Through Our 150,447,938,145 Records!
We Have Over 50,000 Data Breaches, Several Hacking Forums, Conversations
Indexed.
Download Now
Share the Post:
PrevPreviousCyberattacks on Government Machinery
NextHazard Token GrabberNext
RELATED POSTS
NEW MALWARE CAMPAIGN ABUSING RDPWRAPPER AND TAILSCALE TO TARGET CRYPTOCURRENCY
USERS
July 17, 2024
INVESTIGATING THE NEW JELLYFISH LOADER
July 15, 2024
QUICK LINKS
Main Menu
* Home
* About Us
* Blog
* Cyble Partner Network (CPN)
* Press
* Responsible Disclosure
* Knowledge Hub
* Sitemap
PRODUCTS
Main Menu
* AmIBreached
* Cyble Vision
* Cyble Hawk
* Cyble Odin
* The Cyber Express
SOLUTIONS
Main Menu
* Attack Surface Management
* Brand Intelligence
* Threat Intelligence
* Dark Web Monitoring
* Takedown and Disruption
* Vulnerability Management
PRIVACY POLICY
Main Menu
* AmIBreached
* Cyble Vision
* Cyble Trust Portal
© 2024. Cyble Inc.(Leading Cyber Threat Intelligence Company). All Rights
Reserved
Twitter Linkedin Youtube
Request a demo
Upcoming Events
Research Reports
Talk To Sales
DISCOVER MORE FROM CYBLE
Subscribe now to keep reading and get access to the full archive.
Type your email…
Subscribe
Continue reading
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our 19 advertising partners use cookies and
similar technologies on this site and use personal data (e.g., your IP address).
If you consent, the cookies, device identifiers, or other information can be
stored or accessed on your device for the purposes described below. You can
click "Allow All" or "Decline All" or click Settings above to customise your
consent regarding the purposes and features for which your personal data will be
processed and/or the partners with whom you will share personal data.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalised content profile; ●
Select personalised content; ● Personalised advertising, advertising
measurement, audience research and services development; ● Services development.
For some of the purposes above, our advertising partners: ● Use precise
geolocation data. Some of our partners rely on their legitimate business
interests to process personal data. View our advertising partners if you wish to
provide or deny consent for specific partners, review the purposes each partner
believes they have a legitimate interest for, and object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences