Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cybersecurity and phishing threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


“Log4Shell” update sees further problems caused

An alternative attack vector for the Log4j vulnerability has been discovered. This relies on a basic Javascript WebSocket connection to trigger remote code-execution (RCE) on servers locally via drive-by compromise. Essentially, this means that an exploit can affect services running as localhost in internal systems that are not exposed to any network.

The discovery belies the notion that Log4Shell attacks are limited to exposed vulnerable web servers. Researchers said: “This newly discovered attack vector means that anyone with a vulnerable Log4j version can be exploited through the path of a listening server on their machine, or local network through browsing to a website, and triggering the vulnerability.”

This means there are several new malicious use cases for an exploit, beyond the ability to open a shell with a single line of code to drop malware on internet-facing web servers. Other new uses found include malvertising – which creates the opportunity for ‘drive-by attacks’.

WebSockets enables communication between a web browser and web applications, like chats and alerting on websites. They allow the browser to quickly send data back and forth to these types of apps, but they’re also used for host-fingerprinting and port-scanning.

Researchers added: “WebSockets are not restricted by same-origin policies like a normal cross-domain HTTP request. They expect the server itself to validate the origin of the request. While they are useful, they also introduce a fair amount of risk as they do not include many security controls to limit their utilisation.”

In the Log4j case, an attacker would make malicious requests via WebSockets to a potentially vulnerable local host or network server. The targets don’t have to be exposed to the internet.

The three steps a cyber criminal could follow are as follows:

  • From a watering-hole server with the affected “Log4j2” vulnerability installed, an attacker would trigger a file path URL from the browser with a WebSocket connection. A basic Javascript WebSocket connection can be used in the PoC, but it was noted that “this does not necessarily need to be a local host and WebSockets allows for connection to any IP and easily could iterate private IP space.”
  • As the page loads, it will initiate a local WebSocket connection, connect to the vulnerable listening server, and connect over an identified type of connection based on a Java Naming and Directory Interface (JNDI) connection string – a technique that’s similar to WebSockets’ local host port-scanning used for fingerprinting hosts.
  • Once the victim’s host connects to an open port on a local service or a service accessible to the host itself, an attacker can then drop an exploit string in path or parameters.

The bad news is that this is a stealthy approach. It can be difficult to gain deep visibility of this, which increases the complexity of detection of the attack. That’s as a result of WebSocket connections silently initiating when a webpage loads, with no direct control by the client itself. Researchers noted that there are ways to get around this – detect a possible attack by looking for instances of “.*/java.exe” being used as the parent process for “cmd.exe/powershell.exe.”

Businesses should make sure that they are set up to detect the presence of Cobalt Strike, TrickBot and related common attacker tools. To mitigate the risk completely, organisations should update all local development efforts, internal applications and internet-facing environments to Log4j 2.16 ASAP, including any custom applications.

In the meantime, users can implement egress filtering, which can restrict the callback required for the actual exploit to land, and can use tools like NoScript Java-blocker on untrusted external sites to avoid Javascript triggering WebSocket connections.

Researchers added: “This news does mean relying on web application firewalls, or other network defences is no longer an effective mitigation – patching remains the single most important step an organisation can take.”

If you’re unsure whether your business is at risk, it is worth checking that the software you use is up-to-date, and as a result, safe to use.

Malicious Exchange server module steals Outlook credentials

Neu Cyber Threats

Researchers have discovered a previously unknown malicious IIS module, dubbed Owowa, that steals credentials when users log into Microsoft Outlook Web Access (OWA). Internet Information Services (IIS),  Microsoft’s web server/hosting software suite, can be extended via various add-ons that are known as modules.

Like plug-ins for WordPress or Chrome extensions, IIS modules offer an attractive way to side-load malicious features into web-facing applications. In this case, Owowa infects Exchange servers, exposing Exchange’s OWA function. Beyond credential theft, it allows remote attackers to run commands on the underlying server and to establish a foothold for access to the broader network.

Researchers said: “It allows attackers to steal login credentials for Outlook Web Access and gain remote access control to the underlying server. Its malicious capabilities can easily be launched by sending seemingly innocuous requests – such as OWA authentication requests.”

The module is stealthy and difficult to detect, and it offers persistence even in the face of software updates from Exchange. Researchers added: “The particular danger with Owowa is that an attacker can use the module to passively steal credentials from users who are legitimately accessing web services, this makes it a far stealthier way to gain remote access than sending phishing emails.

“In addition, while IIS configuration tools can be leveraged to detect such threats, they are not part of standard file and network monitoring activities, so Owowa might be easily overlooked by security tools.”

The malicious module can be loaded by a cyber attacker that has initial access to the server environment perhaps by exploiting the ProxyLogon or ProxyShell vulnerabilities. Once installed, the module monitors HTTP requests and responses for OWA traffic by completing the “PreSendRequestContent” event. When an OWA authentication request is made, it springs into action, first checking that the login attempt was successful by checking that the OWA application is sending an authentication token back to the user. If that’s the case, the username, password, user’s IP address and current timestamp are stored in a file and encoded with RSA encryption.

Cyber criminals can interact with Owowa and exfiltrate the harvested logins by entering specially crafted commands into the username and password fields in the OWA log-in page of the compromised server. Owowa was compiled between late 2020 and April 2021, giving attackers the ability to gain access to registered email accounts and execute arbitrary code. The module has been used since then to target government and public-sector victims, among others.

Researchers could not link Owowa to any specific threat actor, although it is believed the operator is unlikely to be an advanced persistent threat (APT) despite the victimology and obvious goal of espionage. This is due to the development showing some rookie errors.

Its creators ignored explicit warnings from Microsoft regarding several risky development practices for HTTP modules, which could result in server crashes – alerting admins to the presence of Owowa. Additionally, sensitive information on the development environment has been left behind, making it clearly visible in publicly available samples.

Researchers added: “The good news is the attackers don’t appear to be highly sophisticated. Companies should closely monitor Exchange servers since they are highly sensitive and contain all corporate emails. We also recommend considering all running modules as critical and checking them regularly.”

To defend against the threat, researchers recommend that businesses follow the below advice:

  • Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS server suite. Malicious IIS modules, and Owowa in particular, can be identified by using the command “appcmd.exe” or the IIS configuration tool, which lists all the loaded modules on a given IIS server.
  • Check for such modules as part of regular threat-hunting activities, and every time a major vulnerability is announced on Microsoft server products.
  • Focus the defence strategy on detecting lateral movement and data exfiltration to the internet, paying special attention to outgoing traffic to detect cyber criminal connections.
  • Back up data regularly and make sure it can be quickly accessed in an emergency.

Malicious app malware plagues Google Play Store

Joker malware has returned to the Google Play Store – this time being spotted in a mobile application called Colour Message. The app was downloaded over half a million times before being removed from the application store. Users should immediately delete the affected app from their devices to avoid being defrauded, researchers have warned.

Joker is a persistent threat that’s been around since 2017, hiding itself within legitimate-seeming, common application types like games, messengers, photo editors, translators and wallpapers, many of them aimed at children. Once installed, Joker apps subscribe victims to unwanted, paid premium services that are controlled by the attackers – this is a type of billing fraud that is known as fleeceware.

In the worst case scenario, the applications also exfiltrate contact lists and device information and, critically, they can hide their icons from the home screen – which is the case with Colour Message, as well as it connecting to Russian servers.

Interestingly, the app has 1,800+ reviews, with an average rating of four stars – though more recent reviews seemed more truthful. Researchers said: “The application’s very concise terms and conditions are hosted on an unbranded one-page blog and do not disclose the extent of the actions the app can perform on users’ devices. One of the victims has even tried reaching out to the application’s developer through the comment section of the legal page, while other users are directly complaining about the fraud in the comment section of the app on the store.”

Malicious Joker apps are commonly found outside of the official Google Play store, but they’ve continued to skirt around the protections of the Google Play Store. One of the ways Joker does this is through lightweight development and constant code tinkering, as researchers admit: “By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect.”

As a result of all this trickery, there have been on-and-off infestations of Joker inside the official Google Play Store, which includes two massive onslaughts in 2020. There is good news for Android users, though, as more than 1,800 Android applications infected with Joker have been removed from the Google Play store over the last four years.

Neuways advises users to be aware of the apps that not only themselves, but their immediate families are downloading. Not only should users not use unofficial app stores, but they must be aware of the possibilities that an application they download, could be stealing their data or, worse still, remaining dormant and causing long-term data confidentiality issues.

New spyware discovered by researchers

A new spyware has been tracked by researchers, who have dubbed it “PseudoManuscrypt”. It has targeted 35,000 computers in over 195 countries, making it a truly global threat.

Kaspersky researchers said that from 20th January 2021 to 10th November 2021, the cyber criminals behind the campaign were targeting government organisations and industrial control systems (ICS) across a range of industries, including engineering, building automation, energy, manufacturing, construction, utilities and water management. At least 7.2% of all attacked computers are part of this group.

Manuscrypt, aka NukeSped, is a family of malware tools that have been used in espionage campaigns in the past. An example of this was a February spear-phishing campaign linked to a prolific North Korean APT, Lazarus, that used the Manuscrypt malware family’s ‘ThreatNeedle’ tool to attack companies. The operators behind PseudoManuscrypt are using fake pirated software installer archives to initially download the spyware onto the systems targeted.

Researchers noted that the fake installers are for “ICS-specific software, such as an application designed to create a MODBUS Master Device to receive data from a PLC [programmable logic controller], as well as more general-purpose software, which is used on OT networks, such as a key generator for a SolarWinds tool for network engineers and systems administrators.”

Researchers suspect that threat actors are getting the fake installers from a malware-as-a-service (MaaS) platform, that is providing them to operators of multiple malicious campaigns, not just this widely dispersed PseudoManuscrypt campaign. However, Kaspersky also found listings for fake installers, discovered via a Google search.

Kaspersky outlined two variants of the module, both of which are outfitted with advanced spyware capabilities. One version rode in via the infamous Glupteba botnet: a hard to remove, 1 million-strong botnet of compromised Windows and internet of things (IoT) devices that Google’s Threat Analysis Group (TAG) disrupted earlier this month. The tie-in with Glupteba is a clue that PseudoManuscrypt’s could have originated on a MaaS platform, given that the botnet’s main installer “is also distributed via the pirated software installer distribution platform.”

PseudoManuscrypt’s main module has a full tool kit for spying, giving it the ability to:

  • Steal VPN connection data
  • Log keystrokes
  • Grab screenshots and take screen videos
  • Use a system’s microphone to eavesdrop and record sound
  • Filch clipboard data
  • Steal OS event log data – which also makes it possible to steal Remote Desktop Protocol (RDP) authentication data.

Researchers added: “Essentially, the functionality of PseudoManuscrypt provides the attackers with virtually full control of the infected system.” Kasperskiy’s ICS-CERT team first detected the PseudoManuscrypt series of attacks in June, when the malware triggered anti-virus detection designed to spot Lazarus activity. It was via this method that Kaspersky subsequently found similarities between the new PseudoManuscrypt and Lazarus’s Manuscrypt malware.

The PseudoManuscrypt malware loads its payload from the system registry and decrypts it, researchers explained, with the payload using a registry location that’s unique to each infected system. Researchers said: “Both malicious programs load a payload from the system registry and decrypt it; in both cases, a special value in the CLSID format is used to determine the payload’s location in the registry – the executable files of both malicious programs have virtually identical export tables.”

This news is obviously concerning, and Neuways advises users to be aware of any received communications. One slip-up and a successful installation could cause no end of problems for businesses, with cyber criminals clearly possessing the ability to watch their activities, and as a result, exploit companies through the exfiltration of company data and information.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.