Cyber Threat Intelligence Briefing - July 1, 2024

This week, we explore the GrimResource initial access method and a vulnerability roundup.

GrimResource Initial Access Method

Following Microsoft's decision in 2022 to disable macros by default in Office products, threat actors have continued to look for alternative methods to gain initial access to phishing attacks. Last week, the security team at Elastic published research showing a new infection technique spotted in the wild (dubbed GrimResource), which leverages specially crafted Microsoft MSC (.msc) files. These files are used by the Microsoft Management Console (MMC) to manage various parts of the Windows operating system.

The newly observed technique involves a malicious MSC file that abuses an old yet unpatched cross-site scripting (XSS) flaw in a Windows file called 'apds.dll'. When combined with a technique called 'DotNetToJScript', the XSS flaw can be used to execute .NET code in the context of MMC.

The end result of the observed infection chain was the deployment of Cobalt Strike.

It should be noted that while this specific malware deployed Cobalt Strike, the exploit can be abused to execute other commands.

Detection and Prevention Opportunities

There are several behavioral indicators that can be monitored for this type of attack:

• One of the major pieces of this infection chain is the MMC program (mmc.exe) executing a .msc file calling the apds.dll file to trigger the XSS vulnerability. In order to do this, it triggers a CreateFile operation on the apds.dll file. See Appendix A at the end of this article for a CrowdStrike query to search for this condition.
• The observed infection chain creates a temporary file in the INetCache folder with a 'redicrect[*]' naming convention. Look for a .msc file running in mmc.exe that creates a 'redirect[*]' file in the \AppData\Local\Microsoft\Windows\InetCached\IE\*\ path. See Appendix B at the end of this article for a CrowdStrike query to search for this condition.
• Additional detection methods can be found in the Elastic report here.
• Administrators can block email attachments with .msc file extensions which will prevent users from being able to download these files in phishing attacks. If this email rule cannot be implemented, users should be made aware of this attack method and be instructed to not click or download on .msc files.

Additional Resources

• https://www.elastic.co/security-labs/grimresource
  
• https://github.com/tyranid/DotNetToJScript/tree/master
  
• https://falconforce.nl/falconfriday-detecting-mmc-abuse-using-grimresource-with-mde-0xff24/
  
• https://www.bleepingcomputer.com/news/security/new-grimresource-attack-uses-msc-files-and-windows-xss-flaw-to-breach-networks/
  
• https://thehackernews.com/2024/06/new-attack-technique-exploits-microsoft.html

Vulnerability Roundup

Critical Unauthenticated Remote Code Execution Vulnerability in OpenSSH Server

Researchers at Qualys published details to day on a critical unauthenticated RCE in OpenSSH Server in 'glibc-based Linux systems'. The vulnerability, tracked as CVE-2024-6387, is a race condition in sshd (OpenSSH's server) with default configurations. Successful exploitation allows commands to be run as root. Proof-of-concept exploit code is already in the wild.

Per the security release notes from OpenSSH, successful exploitation was demonstrated on 32-bit Linux/glibc systems with ASLR (address space layout randomization). In lab conditions "the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept".

The advisory also states that exploitation of 64-bit systems is believed to be possible but has not yet been demonstrated. The vulnerability impacts OpenSSH versions between 8.5p1 and 9.7p1.

Additionally, versions prior to 4.4p1 are also vulnerable unless they are patched for CVE-2005-5051 and CVE-2008-4109.

Administrators are urged to patch to version 9.8p1 as soon as possible. As an additional precaution, administrators are urged to limit SSH access through network-based controls.

See Appendix C at the end of the article for the PacketWatch query to hunt for vulnerable SSH servers.

• https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
  
• https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
  
• https://www.openssh.com/releasenotes.html
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-6387/details
  
• https://thehackernews.com/2024/07/new-openssh-vulnerability-could-lead-to.html

Juniper Networks Authentication Bypass

Juniper published an out-of-band security update to address CVE-2024-2973, an authentication bypass vulnerability with a CVSS score of 10.0. Per the advisory, successful exploitation allows the attacker to take full control of the device. The vulnerability affects Juniper Networks Session Smart Router and Conductor devices running in high-availability redundant configurations.

The following versions are impacted:

• Session Smart Router
  • All versions before 5.6.15
  • from 6.0 before 6.1.9-lts
  • from 6.2 before 6.2.5-sts
• Session Smart Conductor
  • All versions before 5.6.15
  • from 6.0 before 6.1.9-lts
  • from 6.2 before 6.2.5-sts
• WAN Assurance Router
  • 6.0 versions before 6.1.9-lts
  • 6.2 versions before 6.2.5-sts

Additionally, Juniper noted that the patch was applied automatically to affected devices for MIST managed WAN Assurance routers connected to the Mist Cloud. Administrators are urged to patch as soon as possible to versions SSR-5.6.15, SSR-6.1.9-lts, or SSR-6.25-sts or later.

• https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-Bulletin-Session-Smart-Router-SSR-On-redundant-router-deployments-API-authentication-can-be-bypassed-CVE-2024-2973?language=en_US
  
• https://thehackernews.com/2024/07/juniper-networks-releases-critical.html
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-2973/details

Critical Vulnerabilities in VMware vCenter Server

Broadcom released a security update for multiple critical vulnerabilities in vCenter Server. Two vulnerabilities tracked as CVE-2024-37079 and CVE-2024-37080 have a CVSS score of 9.8.

An attacker with network access to vCenter Server can send a specially crafted network packet to gain remote code execution on the vulnerable system. A third vulnerability, tracked as CVE-2024-37081, is a privilege escalation vulnerability with a CVSS score of 7.8. Successful exploitation allows for an authenticated non-administrative user to gain root privileges on the vulnerable server.

All three vulnerabilities affect vCenter Server 7.0 and 8.0, as well as Cloud foundation (vCenter Server) versions 4.x and 5.x. Administrators are urged to patch as soon as possible.

• https://socradar.io/vmware-vcenter-server-cve-2024-37079-cve-2024-37080/
  
• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
  
• https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-vcenter-rce-vulnerability-patch-now/

Progress MOVEit Authentication Bypass

On June 25th, Progress disclosed a critical vulnerability in its managed file transfer (MFT) solution MOVEit. This vulnerability is tracked as CVE-2024-5806 and has a CVSS score of 9.1. Successful exploitation of the vulnerability allows attackers to bypass the authentication process in the Secure File Transfer Protocol (SFTP) module.

This can lead to the attacker being able to upload, download, delete, or modify files on the MOVEit server. The flaw affects versions 2023.0.0 before 2023.0.11, 2023.1.0 before 2023.1.6, and 2024.0.0 before 2024.0.2.

Vulnerability details and proof-of-concept exploit code are published in the wild. Per this research, successful exploitation requires the attacker to have knowledge of a valid username on the affected system.

Additionally, that specified username must pass IP-based restrictions (from a network allow list). Administrators are urged to patch it as soon as possible.

• https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806
  
• https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
  
• https://www.bleepingcomputer.com/news/security/hackers-target-new-moveit-transfer-critical-auth-bypass-bug/

Progress FileCatalyst Workflow SQL Injection

Also on June 25, Progress disclosed a critical SQL injection vulnerability in their FileCatalyst Workflow software. This vulnerability is tracked as CVE-2024-5276 and has a CVSS score of 9.8.

The flaw affects versions 5.1.6 Build 135 and earlier. Per the disclosure, successful exploitation can lead to the creation of administrative users and deletion or modification of data in the application database. The disclosure does, however, state that data exfiltration is not possible using the SQLi vulnerability.

Additionally, in order for exploitation to be successful, anonymous access must be enabled, otherwise the attacker must perform the exploit as an authenticated user.

Administrators are urged to patch to version 5.1.6 build 139 (or later) as soon as possible.

• https://www.fortra.com/security/advisory/fi-2024-008
  
• https://www.bleepingcomputer.com/news/security/exploit-for-critical-fortra-filecatalyst-workflow-sqli-flaw-released/

Microsoft Outlook Zero-Click RCE

Part of Microsoft's June Patch Tuesday included a fix for CVE-2024-30103, a remote code execution vulnerability in Microsoft Outlook. A unique feature of this vulnerability is the "zero-click" aspect of the remote code execution (RCE).

The flaw can be exploited by the user opening and previewing a maliciously crafted email, requiring no further interaction. Although there are few details publicly available, the Microsoft security advisory states that the vulnerability resides in the Preview Pane of Outlook.

As of this writing, there are no public exploits for this vulnerability. However, administrators are urged to patch as soon as possible. Details for updating Outlook can be found here.

• https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995
  
• https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-2-Hotfix-2-Release-Notes
  
• https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis
  
• https://github.com/bigb0x/CVE-2024-28995
  
• https://thehackernews.com/2024/06/solarwinds-serv-u-vulnerability-under.html

Appendix A – CrowdStrike Search for mmc.exe and apds.dll

(#event_simpleName = * or #ecs.version = *)
| (ImageFileName = "*mmc.exe*" and CommandLine = "*.msc*" and "*apds.dll*")

Appendix B – Crowdstrike Search for mmc.exe and ‘redirect’ file

(#event_simpleName = * or #ecs.version = *)
| ("*\\INetCache\\*\\redirect*" and "*mmc.exe*")

Appendix C – PW Query for Vulnerable OpenSSH Servers

ssh.version:/.*openssh\_(([123]\.\d)|(4\.[123])|(8\.[^1234])|(9\.[^01234567])).*/ AND destination.ip:(192.168.0.0\/16 OR 172.16.0.0\/12 OR 10.0.0.0\/8)

Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.

If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.