Here are the most relevant headlines of the week, take note and keep informed of all the details:
Checkpoint researchers have published a study highlighting the constant evolution of this malware, which was discovered earlier this year. Checkpoint outlines several features that confirm the constant changes brought about by Bumblebee.
These include the input vector used for distribution, most commonly injecting a DLL into an ISO file, however, this has been modified in the past by using a VHD file and has again treverted to ISO delivery via malspam campaigns.
The researchers note the inclusion of checking mechanisms in sandbox environments, to prevent malware analysis. It is also estimated that, until last July, Bumblebee’s Command & Control (C2) servers only accepted one infected victim on the same IP address, i.e., if several computers in an organization accessing the internet with the same public IP are infected, the C2 server only accepted one, but now they can communicate with multiple infected systems on the same network.
ESET researchers have reported a new Lazarus campaign targeting a Dell hardware driver using a new rootkit called FudModule.
The rootkit uses a technique called bring your own vulnerable driver (BYOVD) to exploit a vulnerability in a Dell hardware driver for the first time.
This technique, known as BYOVD, happens when malicious actors load legitimate, signed drivers into Windows that have known vulnerabilities. The campaign, aimed at espionage and data theft, was conducted via spear-phishing from the autumn 2021, affecting targets in the Netherlands and Belgium.
The malicious emails sent were presented as job offers, deployed malware loaders (droppers), and customized backdoors. The most notable tool was a user-mode module that gained the ability to read and write kernel memory due to vulnerability CVE-2021-21551.
This vulnerability affected a legitimate Dell hardware driver (“dbutil_2_3.sys”) and has remained exploitable for 12 years until the manufacturer has issued security updates to fix it.
The Sonar team has published the discovery of a new critical vulnerability affecting Packagist, the official package repository used by Composer, the world’s largest PHP package manager.
The security flaw, listed as CVE-2022-24828, CVSS of 8.8, allows arbitrary commands to be executed on the server running the Packagist instance. An attacker could exploit this vulnerability to modify the information in existing PHP software packages, even changing the download path of the packages.
This type of attack is known as a supply chain attack, one of the most effective techniques. According to the researchers, of the two billion component downloads that are performed with Composer per month, approximately 100 million of these require the metadata provided by Packagist.
The vulnerability was fixed immediately in an update in Composer versions 1.10.26, 2.2.12 or 2.3.5
Apple software analysis firm Jamf has published details of an investigation by its researcher Ferdous Saljooki on a vulnerability affecting the macOS operating system.
The flaw lies in the Archive Utility function, which could allow unauthorized and unsigned malicious applications to run, bypassing all the protections and warnings that Apple usually includes.
Quarantine tags are normally included by the system when trying to run software that is untrusted or does not give information about its developer and causes it to undergo scanning and the user has to manually authorize it to prevent the installation of unwanted programs.
Attackers could execute malicious software without the victim’s control due to the absence of these labels. The vulnerability has been given the identifier CVE-2022-32910 and, although it was patched by Apple in bulletins in May and July, it has only become known in the last few days.
The Microsoft team has made publications about the vulnerabilities in Microsoft Exchange Server, classified as CVE-2022-41040 and CVE-2022-41082 although no patches have yet been released to fix these flaws.
Pending such patches, Microsoft published a script to apply mitigations based on URL rewriting that, as published by some researchers, could be bypassed. In response, Microsoft corrected these temporary mitigations whose conditions, however, have been called into question again after researcher Peter Hiele demonstrated that one of them, string filtering in URI identifiers, did not consider the character encoding made Microsoft’s measures not work.
This discovery was confirmed by other researchers, which has led to Microsoft once again having to correct its mitigations. In addition, researcher Kevin Beaumont pointed out that Microsoft’s vulnerability disclosures are focused on protecting on-premises servers, leaving out those in hybrid configurations.
