Advisory ID: NCC-CSIRT-120224-004

Summary: 

Microsoft is currently examining an issue where Outlook security alerts are triggered when attempting to open .ICS calendar files subsequent to installing the December 2023 Patch Tuesday Office security updates. An ICS file is a file format for iCalendar in Outlook. Those impacted encounter dialog boxes cautioning them that "Microsoft Office has identified a potential security concern" and that "This location may be unsafe" upon double-clicking locally saved ICS files.

Threat Type(s): Vulnerability

Impact/Vulnerability: HIGH/CRITICAL

Product(s): Microsoft 365

Platform(s): Microsoft Outlook

Version(s): All Versions.

Description: 

Upon deploying a security update addressing the Microsoft Outlook information disclosure vulnerability (CVE-2023-35636), the security warning will be displaced. Failure to apply the patch may enable attackers to exploit the vulnerability, potentially tricking users with unpatched Outlook installations into opening maliciously crafted files, thereby compromising their hidden Windows credentials. 

Consequences: The attackers can use the victim’s obfuscated Windows credentials to authenticate as the compromised user, gain access to sensitive data, or spread laterally on their network.

Solution: 

Impacted users can disable the dialog by following the step-by-step instructions available in the link below:

https://learn.microsoft.com/en-gb/microsoft-365/troubleshoot/administration/enable-disable-hyperlink-warning#how-to-globally-enable-or-disable-hyperlink-warnings

References:

• https://support.microsoft.com/en-us/office/outlook-prompts-security-notice-opening-ics-files-after-installing-protections-for-microsoft-outlook-information-disclosure-vulnerability-released-dec-12-2023-df8647ef-1828-421b-a266-79120b6190bd
• https://learn.microsoft.com/en-us/answers/questions/1521137/how-can-i-avoid-outlooks-security-warning-on-a-ics
• https://www.bleepingcomputer.com/news/microsoft/microsoft-outlook-december-updates-trigger-ics-security-alerts/ 

Advisory ID: NCC-CSIRT-050224-003

Summary: 

Researchers from AT&T Cybersecurity have discovered new phishing attacks exploiting Microsoft Teams group chat requests to distribute malicious attachments. These attachments install DarkGate malware payloads on the systems of unsuspecting victims. The operators of DarkGate take advantage of Microsoft Teams to execute these attacks, focusing on organizations where administrators have not secured their tenants by disabling the External Access setting.

Threat Type(s): Phishing 

Impact/Vulnerability: HIGH/CRITICAL

Product(s): Microsoft Teams.

Platform(s): Microsoft Teams Group Chat

Version(s): All Versions.

Description: 

The researchers uncovered that the perpetrators utilized what appears to be a compromised Teams user (or domain) to dispatch over 1,000 malicious Teams group chat invitations. This exploit became feasible due to Microsoft's default enabling of External Access to company chats, granting anyone within the organization the ability to add users to chats, even if they are external to the organization.

 Upon acceptance of the chat invitation by the targets, the malicious actors deceive them into downloading a file with a double extension, cleverly named 'Navigating Future Changes October 2023.pdf.msi' a common tactic employed by DarkGate. Once the malware is installed, it establishes communication with its command-and-control server, a component already verified as part of the DarkGate malware infrastructure. This phishing attack is facilitated by Microsoft's default setting, allowing external Microsoft Teams users to message users from other tenants. 

Consequences: 

Deployment of DarkGate malware payloads along with the phishing impacts.

Solution: 

• Exercise caution regarding file sharing by refraining from accepting or opening files from untrusted sources and avoid installation of such files altogether.
• Organization should disable External Access in Microsoft Teams.
• End users should always be trained to pay attention to where unsolicited messages are coming from and should be reminded that phishing can take many forms beyond the typical email. Phishing attack is a type of cyber-attack where attackers impersonate legitimate entities to deceive individuals into providing sensitive information such as passwords, financial details, or personal data, often through deceptive emails, messages, or websites.

References:

https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-pushes-darkgate-malware-via-group-chats/

https://windowsreport.com/microsoft-teams-darkgate-phishing-attacks/

https://cyber.vumetric.com/security-news/2024/01/30/microsoft-teams-phishing-pushes-darkgate-malware-via-group-chats/

Advisory ID: ngCERT-2024-0003

Summary: 

Chameleon, a rapidly evolving Android banking Trojans, has been discovered to be targeting Android users globally. The new Android malware type has the potential to bypass any biometric authentication, steal sensitive information such as login credentials and credit card information, and conduct fraudulent operations via banking applications. Chameleon's ability to disable biometric security measures such as fingerprint and facial unlock makes it more dangerous, with disastrous consequences for Android banking users. This highlights the importance for Android phone owners to take the required precautions to mitigate the aforementioned threat. 

Damage/Probability: CRTICAL/HIGH

Description: 

Chameleon trojan was found to enable attackers to carry out Account Takeover (ATO) and Device Takeover (DTO) attacks, mostly targeting banking and cryptocurrency apps. The malware is distributed through phishing pages, disguised as legitimate applications/programs and delivered via a legitimate content distribution network (CDN). The new variant is distributed using Zombinder, a dropper-as-a-service (DaaS) used in attacks against Android users. The trojan performs device-specific checks, which are activated when a command is received from the command-and-control (C&C) server, while targeting the 'Restricted Settings' protections added in Android 13. Upon receiving the command, the Trojan presents an HTML page requesting that the user enable the Accessibility service, which allows the malware to perform DTO. After receiving further commands, the malware assesses the device's screen and keyguard status and then uses the Accessibility Event action to bypass biometric authentication while transitioning to PIN authentication. This fall back to standard facilitates theft of PINs, passwords, or graphical keys using keylogging functionalities, by threat actors. The revised Chameleon edition also includes job scheduling using the AlarmManager API, which was seen in other banking trojans but done differently. If the Accessibility option is not enabled, the trojan can move to gathering information about user programs in order to identify the foreground application and display overlays via the 'Injection' activity.  

Consequences: 

A successful execution of Chameleon banking trojan could result to the following:

• Financial losses from unauthorized transactions.
• Data exfiltration.
• Damage to reputation.
• Privacy breaches.
• Disruption of critical financial operations.
• Privilege escalation on devices. 

Solution: 

It is therefore recommended that android phone users should:

• Avoid clicking links on emails or text messages, even from seemingly legitimate sources.
• Ensure that their Android devices and apps are up to date with the latest security patches.
• Only download apps from the official Google Play Store.
• Avoid using public Wi-Fi networks for sensitive banking activities.
• Report suspicious activities to your bank immediately.
• Be mindful of social engineering and phishing tactics deployed by cybercriminals.
• Implement mobile device management (MDM) solutions to enforce security policies and remotely manage devices.
• Ensure that Play Protect is enabled at all times.
• Run regular scans to ensure that devices are free of malware and adware. 

References:

• https://www.securityweek.com/chameleon-android-malware-can-bypass-biometric-security/
• https://www.bleepingcomputer.com/news/security/android-malware-chameleon-disables-fingerprint-unlock-to-steal-pins/

Advisory ID: ngCERT-2024-0002

Summary: A critical vulnerability (CVE-2023-49647) has been identified in Zoom products, exposing the potential for threat actors to exploit it for activities such as denial of service, privilege escalation and unauthorized disclosure of sensitive information on impacted systems. This jeopardizes the confidentiality and integrity of Zoom sessions and user data, underscoring the urgency to implement essential measures to effectively mitigate this threat.

Damage/Probability: CRTICAL/HIGH

Description: The identified vulnerability in Zoom products are due to improper authentication, path traversal, improper access control and cryptograph. Precisely, an Improper Access Control vulnerability exists in Zoom Desktop Client, Zoom VDI Client, and Zoom SDKs for Windows. The vulnerability allows an unauthenticated user to conduct an escalation of privilege via local access, potentially leading to unauthorized actions, such as modifying system settings, installing malware, or accessing sensitive data. Some of the affected products identified include:

• Zoom Desktop Client for Windows before version 16.10
• VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 15.12)
• Zoom Video SDK for Windows before version 16.10
• Zoom Meeting SDK for Windows before version 16.10s 

Consequences: Successful exploitation of this vulnerability could result in the following:

• Data Exfiltration
• Execution of malware on systems
• Launch of DoS or DDoS
• Further compromise of individual or organizations

Solution: Users can help keep themselves secure by Upgrading to version 5.16.10 which eliminates this vulnerability or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

References:

• https://www.zoom.com/en/trust/security-bulletin/ZSB-24001/
• https://securityonline.info/cve-2023-49647-a-high-risk-zoom-vulnerability/