May cyber news round-up
New and insidious Microsoft Office vulnerability discovered, major warning issued for MSPs, Eurovision under attack and malware now being spread by telegram...
There's no rest for the wicked, and there was plenty of wicked cyber activity going on in the month of May. Check it out!
New Microsoft Office RCE vulnerability, Follina discovered
On Sunday 31st May researchers identified a new critical vulnerability in Microsoft Office that allows a malicious actor to remotely execute code on a target system by exploiting Microsoft Diagnostic Tool (MSDT) and word template downloads.
The exploit enables an attacker to download a “template” for Microsoft Office that is actually an encoded PowerShell command. When this is analysed by the MSDT it is decoded and the code is executed on the target system.
Due to the nature of the vulnerability, the malicious files do not even need to be opened to execute the code.
This vulnerability poses a serious risk to organisations running Microsoft Office. However, while there is no official patch for the issue, temporary mitigations can be implemented.
FBI, CISA and NSA warn of hackers targeting MSPs
Cybersecurity and law enforcement agencies from members of the Five Eyes (FVEY) intelligence alliance have shared guidance for managed service providers (MSPs) to secure networks and sensitive data, given their increased risk of being targeted in supply chain attacks.
A high-level summary of the actions that MSPs and their customers can take includes:
- Identifying and disabling accounts that are no longer in use.
- Enforcing MFA on MSP accounts that access the customer environment and monitoring for unexplained failed authentication.
- Ensuring MSP-customer contracts transparently identify ownership of information and communications technology (ICT) security roles and responsibilities.
You can read the advisory here - https://www.cisa.gov/uscert/ncas/alerts/aa22-131a
Pro Russian threat group targets Eurovision, declares war on ten states
Ukraine may have gone on to win the 2022 Eurovision song contest, but it wasn’t without some resistance from pro-Russian hackers, who targeted the Eurovision Song Contest on two out of three nights.
The attacks were attributed to pro-Russian threat group Killnet, given that they implied that they would launch a DDoS attack against the online voting system. Thankfully, the host country, Italy, had allocated sufficient resources to counteract the cyber-attacks and was able to prevent them from impacting the competition.
Killnet has since announced that they did not launch the attacks that were stopped by the Italian authorities. However, they said that they would declare war on 10 countries (US, the UK, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland and Ukraine) for their support of Ukraine.
Threat actors use Telegram to spread Eternity malware
A new strain of modular malware as a service, called the Eternity Project, has emerged. It is currently being promoted and distributed via a Telegram channel that has over 500 subscribers.
Eternity provides its customers with a customisable, modular malware package, lowering the barrier of entry to being a cybercriminal, as long as you have the money to pay for it. The prices for the modules range from $90 to $490 and include a stealer, clipper, worm, miner, and ransomware. Apparently, the developers of the project are also developing a DDoS module.