May cyber news round-up

On Sunday 31^st May researchers identified a new critical vulnerability in Microsoft Office that allows a malicious actor to remotely execute code on a target system by exploiting Microsoft Diagnostic Tool (MSDT) and word template downloads.

The exploit enables an attacker to download a “template” for Microsoft Office that is actually an encoded PowerShell command. When this is analysed by the MSDT it is decoded and the code is executed on the target system.

Due to the nature of the vulnerability, the malicious files do not even need to be opened to execute the code.

This vulnerability poses a serious risk to organisations running Microsoft Office. However, while there is no official patch for the issue, temporary mitigations can be implemented.

Cybersecurity and law enforcement agencies from members of the Five Eyes (FVEY) intelligence alliance have shared guidance for managed service providers (MSPs) to secure networks and sensitive data, given their increased risk of being targeted in supply chain attacks.

A high-level summary of the actions that MSPs and their customers can take includes:

- Identifying and disabling accounts that are no longer in use.
- Enforcing MFA on MSP accounts that access the customer environment and monitoring for unexplained failed authentication.
- Ensuring MSP-customer contracts transparently identify ownership of information and communications technology (ICT) security roles and responsibilities.

You can read the advisory here - https://www.cisa.gov/uscert/ncas/alerts/aa22-131a

Ukraine may have gone on to win the 2022 Eurovision song contest, but it wasn’t without some resistance from pro-Russian hackers, who targeted the Eurovision Song Contest on two out of three nights.

The attacks were attributed to pro-Russian threat group Killnet, given that they implied that they would launch a DDoS attack against the online voting system. Thankfully, the host country, Italy, had allocated sufficient resources to counteract the cyber-attacks and was able to prevent them from impacting the competition.

Killnet has since announced that they did not launch the attacks that were stopped by the Italian authorities. However, they said that they would declare war on 10 countries (US, the UK, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland and Ukraine) for their support of Ukraine.

A new strain of modular malware as a service, called the Eternity Project, has emerged. It is currently being promoted and distributed via a Telegram channel that has over 500 subscribers.

Eternity provides its customers with a customisable, modular malware package, lowering the barrier of entry to being a cybercriminal, as long as you have the money to pay for it. The prices for the modules range from $90 to $490 and include a stealer, clipper, worm, miner, and ransomware. Apparently, the developers of the project are also developing a DDoS module.