Advisory ID: NCC-CSIRT-120723-025

Summary: A tool named TeamsPhisher has been uncovered by a researcher from the U.S. Navy's red team. This tool exploits a security vulnerability in Microsoft Teams, enabling attackers to bypass file-sending restrictions and deliver malware from an external account. If successfully exploited, this vulnerability allows attackers to bypass restrictions on incoming files from users outside of a targeted organization, known as external tenants. 

Vulnerable Platform(s): Microsoft Teams

Threat Type: Malware

Impact/Probability: CRITICAL/HIGH

Product : Microsoft Teams

Version: All Version

Description: The researcher explains that the Microsoft Teams application has client-side protections that can be deceived, treating an external user as an internal one simply by altering the ID in the POST request of a message. To carry out this attack, a Python-based tool called "TeamsPhisher" has been developed, offering a fully automated approach.
TeamsPhisher performs several steps to execute the attack successfully. It first verifies the target user's existence and their ability to receive external messages, which is a crucial requirement for the attack to proceed. It then creates a new thread with the target user and sends them a message containing a Sharepoint attachment link. This thread becomes visible in the sender's Teams interface, potentially allowing for manual interaction.
Initially, TeamsPhisher requires users to have a Microsoft Business account, including a valid Teams and Sharepoint license, which is commonly found in many large companies. The tool also offers a "preview mode" to help users verify the target lists and ensure the appearance of messages from the recipient's perspective. Additionally, TeamsPhisher provides other features such as sending secure file links that can only be accessed by the intended recipient, specifying delays between message transmissions to bypass rate limiting, and generating log files to record outputs.

Consquences: TeamsPhisher tool can allow sending a malicious payload directly to a target Microsoft Teams' inbox. 

Solution: At present, there is no specific solution as Microsoft has not made a decision regarding corrective actions for this vulnerability. However, the following measures are recommended: 

• Microsoft Teams users should adopt safe online computing practices, such as being cautious when clicking on web page links, opening unfamiliar files, or accepting file transfers. 
• Organizations are strongly advised to disable external tenant communications if not required.
• Organizations should establish an allow-list comprising trusted domains to minimize the risk of exploitation. 

References: 

https://www.bleepingcomputer.com/news/security/new-tool-exploits-microsoft-teams-bug-to-send-malware-to-users/ 

https://www.bleepingcomputer.com/news/security/microsoft-teams-bug-allows-malware-delivery-from-external-accounts/ 

https://www.hkcert.org/security-news?item_per_page=10&year%5B%5D=2023&month%5B%5D=06&month%5B%5D=07 

Advisory ID: NCC-CSIRT-090523-022

Summary: Malware analysis engineers from Meta discovered a new malware called NodeStealer that targets saved usernames and passwords in browsers, with the aim of compromising businesses' Gmail, Outlook and Facebook accounts.  

Vulnerable Platform(s): Browsers

Threat Type: Malware

Impact/Probability: CRITICAL/HIGH

Product : Gmail, Outlook and Facebook Applications

Version: All Version

Description: According to the analysts, hackers are distributing the NodeStealer malware through Windows executables that look like PDF files and have filenames related to marketing, social media planning, and monthly budgets. The malware is being executed using the Node.js open source Javascript runtime environment, typically used to develop web applications. After execution, the malware steals the stored credentials and cookie session data from various browsers (Chrome, Opera, Edge and Brave) on victim computers, by referencing the file paths to access files storing cookies and credentials for various sites and decrypting this data.

Consquences: The malware specifically steals user credentials for Facebook, Gmail, and Outlook accounts.

Solution : 

• To avoid NodeStealer Malware, you should practice safe computing habits, such as avoiding suspicious emails and downloads, keeping antivirus software up to date, and regularly backing up important data.
• If you suspect that your system has been infected with NodeStealer, disconnect from the internet and seek the assistance of a reputable cybersecurity professional or use a trusted anti-malware application to remove the threat automatically.

References: 

https://www.bleepingcomputer.com/news/security/facebook-disrupts-new-nodestealer-information-stealing-malware/

https://www.securityweek.com/meta-swiftly-neutralizes-new-nodestealer-malware/

https://duo.com/decipher/nodestealer-malware-targets-gmail-outlook-facebook-credentials

https://www.cyclonis.com/remove-nodestealer-malware/

https://www.pcrisk.com/removal-guides/26669-nodestealer-malware

Advisory ID: NCC-CSIRT- 080523-021

Summary: Cybersecurity researchers from Elastic Security Labs discovered a new 'LOBSHOT' Malware distributed using Google ads in search results. The malware allows threat actors to stealthily take over infected Windows devices.  

Vulnerable Platform(s):  Google ads

Threat Type: Malware

Impact/Probability: CRITICAL/HIGH

Product : Windows Devices

Version: All Versions

Description: According to the researchers, threat actors distributed the LOBSHOT malware strains using an elaborate scheme of fake websites through Google Ads. Users download what they believe to be legitimate installers for genuine software applications. Once the installer is initiated the compromised system is backdoored (a feature or defect of a computer system that allows secret unauthorized access to data), and malware is installed without the victim’s knowledge.
The malware remains hidden on the compromised Windows devices, while still being capable of stealing sensitive information from the victim by using a Hidden Virtual Network Computing (hVNC).

Consquences: Full remote control of the compromised Windows devices.

Solution :

• Users should be careful of promoted Google ads.
• When online, always check on the website promoted by Google ads versus the legitimate website distributing genuine software.

References:

https://www.bleepingcomputer.com/news/security/new-lobshot-malware-gives-hackers-hidden-vnc-access-to-windows-devices/
https://www.helpnetsecurity.com/2023/05/02/infostealer-hvnc/
https://www.pcrisk.com/internet-threat-news/26662-new-malware-granting-threat-actors-hidden-vnc-access
https://cybersecurityworldconference.com/2023/05/02/new-lobshot-hvnc-malware-spreads-via-google-ads/

Advisory ID: NCC-CSIRT-040523-020

Summary:  A command injection vulnerability was identified in a TP-Link Archer AX21 routers. Remote attacker could send a specially crafted request to the router to exploit the vulnerability, which consequently trigger remote code execution on the targeted system.

Vulnerable Platform(s):  Firmware of TP-Link Router

Threat Type:  Vulnerability

Product :  TP- Link Archer AX21 Routers 

Version:   TP-Link Archer AX21 prior to 1.1.4 20230219

Description:  TP-Link Archer AX21 firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability on a parameter of the web management interface. If the parameter is not sanitized prior to usage, it enables an unauthenticated attacker to insert commands.

Consquences:   Remote code execution on the targeted routers

Impact/Probability: HIGH/HIGH

Solution :  

• Users of the affected TP-Link Archer AX21 should update the firmware to the later version.
• Upgrade firmware from the local TP-Link official website of the purchase location for your TP-Link devices.

References:

https://www.govcert.gov.hk/en/alerts_detail.php?id=1018

https://www.hkcert.org/security-bulletin/tp-link-router-remote-code-execution-vulnerability_20230426

https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware