Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

More Baseband Management Controller Vulns Threaten Server Supplies

Last month we wrote about vulnerabilities in the AMI MegaRAC Baseboard Management Controller software, posing a risk to servers from many manufacturers including DELL EMC, HP Enterprise, and Lenovo. Now security firm Eclypsium, who found and disclosed three vulnerabilities, has updated its advisory to add two new vulnerabilities which it had not disclosed, in order to allow AMI to develop mitigations.

The new vulnerabilities are:

• CVE-2022-26872 (CVSS score: 8.3) - Password reset interception via API
• CVE-2022-40258 (CVSS score: 5.3) - Weak password hashes for Redfish and API

The AMI security advisory is somewhat uninformative, but NVD classifies the first vulnerability as a weak password recovery mechanism for forgotten passwords, while the second seems to relate to the use of weak hashing algorithms - specifically, MD5 with a single global salt. Customers should check with their server vendors to see whether they have released an update to address these issues - several already have.

Babkin, Vlad, Supply Chain Vulnerabilities Put Server Ecosystem at Risk, blog post, 5 December 2022. Available online at https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/.

VBA Macros Install Monero Cryptominer

A new report from Fortiguard Labs researcher Xiaopeng Zhang explains how an unidentified threat actor is using malicious Visual Basic for Applications (VBA) macros to install the ever-popular XMRig cryptominer, hijacking the victim's computer to mine Monero cryptocurrency.

Three different Excel documents were discovered, each of which carries a VBA project which, when the spreadsheet is opened, will cause Excel to pop up the usual security warning about macros having been disabled. Of course, we all know what many users will do in response to this: they will click the "Enable Content" button. The spreadsheet in fact encourages this through a nice trick: it displays a blurred graphic, tricking the user into thinking the image will clear if the content is enabled.

Once the VBA code is running, it downloads a binary executable from a C2 server, saving it to the system Templates folder and renaming it before executing it. Like the VBA code itself, this binary is obfuscated, but deobfuscation reveals it to be a .Net executable which, in turn, carries a gzip-compressed .Net DLL. This is extracted in memory and then loaded, before being executed. This code is also extensively obfuscated and also contains functions to detect tampering at runtime, making it very difficult to analyse, but the code is a malware loader and installer, with the payload in the .Net module.

The next stage is to gain persistence, which is done by create a task in TaskScheduler, before loading and decoding its configuration block and initiating communication with the C2 server. After uploading information gathered from the victim system - CPU type, current user name, etc. - the malware receives commands, typically to download further files from Microsodt OneDrive. The first of these is used to perform process hollowing, replacing the code of an innocuous-looking AddInProcess.exe with the content of the second, which is the xmrig.exe cryptominer.

It is a long and convoluted process, most of which is intended to obscure the nature of the attack and prevent analysis.

Zhang, Xiaopeng, Analyzing Malware Code that Cryptojacks System to Mine for Monero Crypto, blog post, 31 January 2023. Available online at https://www.fortinet.com/blog/threat-research/malicious-code-cryptojacks-device-to-mine-for-monero-crypto.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.