[Some Interesting] Cloud ‘n Sec news: 03rd Jun 22
What’s worth your reading time
Azure cost management & Billing rebranded
It will now be known as Microsoft Cost Management and include an integrated way to monitor, manage, and optimize your Microsoft Cloud costs.
This adds up to some new things to the cost management capabilities, which in february had anomaly detection added to it.
Threats for Windows Subsystem for Linux (WSL)
New attack forms against the Linux stack on Windows. It’s not a novelty by any means, having the first attack on this reported in 2021, but this is one to watch out for. As pointed out by Bleeping computer:
an attack surface as they build new malware, the more advanced samples being suitable for espionage and downloading additional malicious modules.
WSL-based malware samples discovered recently rely on open-source code that routes communication through the Telegram messaging service and gives the threat actor remote access to the compromised system.
More than a 100 malware for WSL have been seen by researchers since 2021 and this latest one acts as a RAT, with these capabilities, among others:
Additional functions in this variant include taking screenshots and grabbing user and system information (username, IP address, OS version), which helps the attacker determine what malware or utilities they can use in the next phase of the compromise.
The general recommendation for defending against WSL-based threats is to keep a close eye on the system activity (e.g. SysMon) to determine suspicious activity and investigate commands.
Researchers found what appears to be a zero day in Office. It leverages MSDT, a diagnostic tool to load a execute code from a remote HTML file in PowerShell.
The researchers say that depending on the payload, an attacker could use this exploit to reach remote locations on the victim’s network
This would allow an attacker to collect hashes of victim Windows machine passwords that are useful for further post-exploitation activity.
Some researchers made their findings public, including Gossi, or Beaumont himself:
The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.
A lot to uncover here, read through the sources and you will have fun.
Mitigations have been announced and released by Microsoft.
Attacking the Fun in Runespace
Attackers using phishing, target Runespace to steal accounts and in-game bank PIN.
Well, if you’re not making money out of something, thinking twice about putting time in it, right?
Microsoft reports on attacks against Israeli organizations
According to the report by Microsoft, the attack group is Lebanon based and targeted Israeli organizations from different industries such as critical manufacturing, IT, and Israel’s defense industry.
The attack method, as per the report is:
This actor has deployed unique tools that abuse legitimate cloud services for command and control (C2) across most of their victims. POLONIUM was observed creating and using legitimate OneDrive accounts, then utilizing those accounts as C2 to execute part of their attack operation. This activity does not represent any security issues or vulnerabilities on the OneDrive platform.
Learn more about my Cloud and Security Projects: https://linktr.ee/acamillo
Thank you for reading and leave your thoughts/comments!