Cymulate’s June 2022 Cyberattacks Wrap-up
In June 2022, cybercrime flourished. Let's look at last month's cyberattacks making news.
Follina Day's Work
Follina dominated the headlines as the Microsoft zero-day flaw that has been exploited by a number of threat actors, including Chinese state-sponsored hackers. They exploited the vulnerability to attack organizations associated with the Tibetan Government in exile. The Russian nation-state group APT28 (aka Fancy Bear or Sofacy) abused it during their phishing attacks against targets in Ukraine. Apart from state-sponsored actors, several ransomware threat groups used it to spread the Qbot banking Trojan (aka QakBot) to establish a persistent foothold in target networks for future attacks.How It Works
Once a document uses the Word remote template feature to retrieve an HTML file from a remote web server, it uses the ms-msdt MSProtocol URI scheme to load some of the code, also executing PowerShell. Microsoft Word executes the code via the Microsoft Support Diagnostic Tool (MSDT) even if macros are disabled. The vulnerability concerns Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365. It can also be called from .lnk files, making it a double threat. To put it in other words, threat actors could exploit the vulnerability by executing malicious PowerShell commands via MSDT once malicious Office documents were opened or previewed, even if macros were disabled.MsiExec Wreck
Also, in June 2022, we saw threat actors using Msiexec impersonation for data exfiltration.- They gained initial access by exploiting a vulnerability in ManageEngine SupportCenter Plus.
- This allowed them to drop a webshell in a cloud-accessible directory.
- This webshell was then used for WDigest authentication and regularly checking which users were logged into the beachhead server.
- An LSASS dump was performed to capture the credentials of an administrative user that had recently logged into the system.
- They then moved laterally to critical servers using Plink and RDP to exfiltrate sensitive information.
- The threat actors downloaded ekern.exe and deployed a script to establish a reverse SSH connection to the RDP port of the beachhead server.
- After an interactive RDP session was successfully established to the beachhead server, other computers in the network were enumerated.