threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/exploited-microsoft-zero-day-spoofing-malware/177045/
Submission: On December 15 via api from GB — Scanned from GB
Submission: On December 15 via api from GB — Scanned from GB
Form analysis 4 forms found in the DOM
POST /exploited-microsoft-zero-day-spoofing-malware/177045/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/exploited-microsoft-zero-day-spoofing-malware/177045/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Comments</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177045" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="c19e6637b4"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="weNg6BpT0kcud51eqoWOSxwJx" name="aFnnhMU6SoeBNjl3ZAtxrMP4W">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1639548565589">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Comments
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* 400 Banks’ Customers Targeted with Anubis TrojanPrevious article
* Apple iOS Update Fixes Cringey iPhone 13 Jailbreak ExploitNext article
ACTIVELY EXPLOITED MICROSOFT ZERO-DAY ALLOWS APP SPOOFING, MALWARE DELIVERY
Author: Tara Seals
December 14, 2021 5:21 pm
7 minute read
Write a comment
Share this article:
*
*
December’s Patch Tuesday updates address six publicly known bugs and seven
critical security vulnerabilities.
Microsoft has addressed a zero-day vulnerability that was exploited in the wild
to deliver Emotet, Trickbot and more in the form of fake applications.
The patch came as part of the computing giant’s December Patch Tuesday update,
which included a total of 67 fixes for security vulnerabilities. The patches
cover the waterfront of Microsoft’s portfolio, affecting ASP.NET Core and Visual
Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for
IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint
Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile
Device Management, Windows Remote Access Connection Manager, TCP/IP, and the
Windows Update Stack.
Seven of the bugs addressed are rated critical, six were previously disclosed as
zero-days and 60 are considered “important.”
The update brings the total number of CVEs patched by Microsoft this year to
887, which is down 29 percent in volume from a very busy 2020.
ZERO-DAY EXPLOITED IN WILD
The zero-day (CVE-2021-43890) is an important-rated spoofing vulnerability in
the Windows AppX Installer, which is a utility for side-loading Windows 10 apps,
available on the App Store.
Kevin Breen, director of cyber-threat research at Immersive Labs, explained that
the bug “allows an attacker to create a malicious package file and then modify
it to look like a legitimate application, and has been used to deliver Emotet
malware, which made a comeback this year.”
Breen warned, “the patch should mean that packages can no longer be spoofed to
appear as valid, but it will not stop attackers from sending links or
attachments to these files.”
Prior to its fix today, the bug was seen in multiple attacks associated with
Emotet, TrickBot and Bazaloader, according to Satnam Narang, staff research
engineer at Tenable.
“To exploit this vulnerability, an attacker would need to convince a user to
open a malicious attachment, which would be conducted through a phishing
attack,” he explained via email. “Once exploited, the vulnerability would grant
an attacker elevated privileges, particularly when the victim’s account has
administrative privileges on the system.”
If patching isn’t an option, Microsoft has provided some workarounds to protect
against the exploitation of this vulnerability.
OTHER PUBLICLY KNOWN MICROSOFT VULNERABILITIES
It’s worth noting that Microsoft also patched CVE-2021-43883, a
privilege-escalation vulnerability in Windows Installer, for which there’s been
an exploit circulating, and, reportedly, active targeting by attackers – even
though Microsoft said it has seen no exploitation.
“This appears to be a fix for a patch bypass of CVE-2021-41379, another
elevation-of-privilege vulnerability in Windows Installer that was reportedly
fixed in November,” Narang said. “However, researchers discovered that fix was
incomplete, and a proof-of-concept was made public late last month.”
Breen noted that this kind of vulnerability is highly sought after by attackers
looking to move laterally across a network.
“After gaining the initial foothold, achieving administrator-level access can
allow attackers to disable security tools and deploy additional malware or tools
like Mimikatz,” he said. “Almost all ransomware attacks in the last year
employed some form of privilege escalation as a key component of the attack
prior to launching ransomware.”
Four other bugs were listed as “publicly known” but not exploited, all rated
important and allowing privilege escalation:
* CVE-2021-43240, a NTFS Set Short Name
* CVE-2021-43893, a Windows Encrypting File System (EFS)
* CVE-2021-43880, Windows Mobile Device Management
* CVE-2021-41333, Windows Print Spooler
The update does not address CVE-2021-24084, an unpatched Windows security
vulnerability disclosed in late November, which could allow information
disclosure and local privilege escalation (LPE).
CRITICAL-RATED MICROSOFT SECURITY BUGS FOR DECEMBER
1. CVE-2021-43215 IN ISNS SERVER
The first critical bug (CVE-2021-43215) to cover allows remote code-execution
(RCE) on the Internet Storage Name Service (iSNS) server, which enables
automated discovery and management of iSCSI devices on a TCP/IP storage network.
It rates 9.8 out of 10 on the vulnerability-severity scale.
The bug can be exploited if an attacker sends a specially crafted request to an
affected server, according to Microsoft’s advisory.
“In other words, if you’re running a storage-area network (SAN) in your
enterprise, you either have an iSNS server or you configure each of the logical
interfaces individually,” said Trend Micro Zero Day Initiative researcher Dustin
Childs, in a Tuesday blog. “If you have a SAN, prioritize testing and deploying
this patch.”
Breen concurred that it’s critical to patch quickly if an organization operates
iSNS services.
“Remember that this is not a default component, so check this before you bump it
up the list,” he said via email. However, “as this protocol is used to
facilitate data storage over the network, it would be a high priority target for
attackers looking to damage an organization’s ability to recover from attacks
like ransomware. These services are also typically trusted from a network
perspective – which is another reason attackers would choose this kind of
target.”
2. CVE-2021-43907 IN VISUAL STUDIO CODE WSL EXTENSION
Another 9.8-out-of-10-rated bug is CVE-2021-43907, an RCE issue in Visual Studio
Code WSL Extension that Microsoft said can be exploited by an unauthenticated
attacker, with no user interaction. It didn’t provide further details.
“This impacted component lets users use the Windows Subsystem for Linux (WSL) as
a full-time development environment from Visual Studio Code,” Childs explained.
“It allows you to develop in a Linux-based environment, use Linux-specific tool
chains and utilities, and run and debug Linux-based applications all from within
Windows. This sort of cross-platform functionality is used by many in the DevOps
community.”
3. CVE-2021-43899 – MICROSOFT 4K WIRELESS DISPLAY ADAPTER
The third and final 9.8 CVSS-rate bug is CVE-2021-43899, which also allows RCE
on an affected device, if the attacker has a foothold on the same network as the
Microsoft 4K Display Adapter. Exploitation is a matter of sending specially
crafted packets to the affected device, according to Microsoft.
“Patching this won’t be an easy chore,” Childs said. “To be protected, users
need to install the Microsoft Wireless Display Adapter application from the
Microsoft Store onto a system connected to the Microsoft 4K Wireless Display
Adapter. Only then can [they] use the ‘Update & Security’ section of the app to
download the latest firmware to mitigate this bug.”
4. CVE-2021-43905 IN MICROSOFT OFFICE
Another critical RCE bug (CVE-2021-43905) exists in the Microsoft Office app; it
rates 9.6 on the CVSS vulnerability-severity scale, and Microsoft marked it as
“exploitation more likely.”
“Very little is given away in the advisory to identify what the immediate risk
is – it simply states the affected product as ‘Office App,'” Breen noted. “This
can make it difficult for security teams to prioritize or put mitigations in
place if quick patching is not available – especially when security teams are
already tied down with other critical patching.”
However, Aleks Haugom, researcher at Automox, said it should be a priority for
patching.
“As a low-complexity vulnerability, an attacker can expect repeated results,” he
said in a Tuesday analysis. “Although Microsoft has not disclosed exactly what
user interaction is required for the attacker to succeed they have confirmed
that the Preview Pane is not an attacker vector. Given that this threat can
impact resources beyond the security scope managed by the security authority
immediate remediation actions are advised.”
5. CVE-2021-42310 IN MICROSOFT DEFENDER FOR IOT
One of 10 issues found in Defender for IoT, this bug (CVE-2021-42310) allows RCE
and rates 8.1 on the CVSS scale.
“A password reset request consists of a signed JSON document, a signing
certificate, and an intermediate certificate that was used to sign the signing
certificate,” explained Childs. “The intermediate certificate is supposed to
chain up to a root CA certificate built into the appliance. Due to a flaw in
this process, an attacker can reset someone else’s password. Patching these bugs
requires a sysadmin to take action on the device itself.”
The other nine bugs in the platform include seven other RCE vulnerabilities, one
elevation of privilege vulnerability and one data disclosure vulnerability, all
rated “important.”
6. CVE-2021-43217 IN THE WINDOWS ENCRYPTING FILE SYSTEM (EFS)
This bug (CVE-2021-43217) allows RCE and rates 8.1 on the CVSS scale.
“An attacker could cause a buffer overflow that would leading to unauthenticated
non-sandboxed code execution, even if the EFS service isn’t running at the
time,” Childs explained. “EFS interfaces can trigger a start of the EFS service
if it is not running.”
Jay Goodman, in the Automox posting, noted that it can be chained with the
publicly disclosed elevation of privilege vulnerability in EFS and thus presents
a special threat.
“While either of these vulnerabilities constitute impactful disclosures that
need to be handled quickly, the combination of the two in a near universal
service critical to securing and protecting data creates a unique situation,” he
said. “Attacks could use the combination of RCE with privilege elevation to
quickly deploy, elevate and execute code on a target system with full system
rights. This can allow attackers to easily take full control of the system as
well as create a base of operations within the network to spread laterally.”
In other words: This is a critical pair of vulnerabilities to address as soon as
possible to minimize organizational risk.
7. CVE-2021-43233 IN REMOTE DESKTOP CLIENT
The flaw (CVE-2021-43233) allows RCE and rates 7 on the CVSS scale. It’s listed
as “exploitation more likely.”
“This one…would likely require a social engineering or phishing component to be
successful,” Breen explained. “A similar vulnerability, CVE-2021-38666, was
reported and patched in November. While it was also marked as ‘exploitation more
likely,’ thankfully there have been no reports of proof-of-concept code or of it
being exploited in the wild, which goes to show how important it is to make your
own risk-based approach to prioritizing patches.”
Automox researcher Gina Geisel emphasized the bug’s high complexity for
exploitation.
“To exploit this vulnerability, an attacker requires control of a server and
then must convince users to connect to it, through social engineering, DNS
poisoning or using a man-in-the-middle (MITM) technique, as examples,” she said.
“An attacker could also compromise a legitimate server, host malicious code on
it, and wait for the user to connect.”
OTHER MICROSOFT BUGS OF NOTE FOR DECEMBER
Childs also flagged CVE-2021-42309, an RCE issue in Microsoft SharePoint Server,
as a vulnerability to prioritize. It allows an attacker to bypass the
restriction against running arbitrary server-side web controls.
“The vulnerability allows a user to elevate and execute code in the context of
the service account,” he explained. “An attacker would need ‘Manage Lists’
permissions on a SharePoint site, but by default, any authorized user can create
their own new site where they have full permissions.”
He said the issue is similar to the previously patched CVE-2021-28474, except
that the unsafe control “is ‘smuggled’ in a property of an allowed control.”
Operating system bugs should be prioritized, researchers added.
“The disclosures include a functional example in the case of the Print Spooler,
proof-of-concept for the NTFS and Windows Installer vulnerabilities, so there is
some cause to put urgency on the OS updates this month,” Chris Goettl, vice
president of product management at Ivanti, told Threatpost.
Write a comment
Share this article:
* Cloud Security
* IoT
* Malware
* Vulnerabilities
* Web Security
SUGGESTED ARTICLES
APPLE IOS UPDATE FIXES CRINGEY IPHONE 13 JAILBREAK EXPLOIT
It took just 15 seconds to hack the latest, greatest, shiniest iPhone 13 Pro on
stage at the Tianfu Cup in October, using a now-fixed iOS kernel bug.
December 14, 2021
400 BANKS’ CUSTOMERS TARGETED WITH ANUBIS TROJAN
The new campaign masqueraded as an Orange Telecom account management app to
deliver the latest iteration of Anubis banking malware.
December 14, 2021
WHAT THE LOG4SHELL BUG MEANS FOR SMBS: EXPERTS WEIGH IN
An exclusive roundtable of security researchers discuss the specific
implications of CVE-2021-44228 for smaller businesses, including what’s
vulnerable, what an attack looks like and to how to remediate.
December 14, 2021
2
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* NEXT-GEN MALDOCS & HOW TO SOLVE THE HUMAN VULNERABILITY
December 10, 2021
* NOT WITH A BANG BUT A WHISPER: THE SHIFT TO STEALTHY C2
December 8, 2021
* ARE YOU GUILTY OF THESE 8 NETWORK-SECURITY BAD PRACTICES?
December 6, 2021
* PANDEMIC-INFLUENCED CAR SHOPPING: JUST USE THE MANUFACTURER API
December 3, 2021
* HOW DECRYPTION OF NETWORK TRAFFIC CAN IMPROVE SECURITY
November 30, 2021
3
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
There’s a sea of unstructured data on the internet relating to the latest
#cybersecurity threats. Join Threatpost’s… https://t.co/y6ZfyTh5I0
4 days ago
Follow @threatpost
NEXT 00:02 01:34 360p 720p HD 1080p HD Auto (360p) About Connatix V142496 Closed
Captions About Connatix V142496 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2021 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE