Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, malware including Ransomware and DDoS, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

 

A very dangerous 0-day exploit for Microsoft Office (CVE-2022-30190 aka Follina)

A very dangerous 0-day exploit for Microsoft Office (CVE-2022-30190 aka Follina) was announced earlier this week.

This is a 0-day attack that sprung up out of nowhere, and there’s currently no patch available. It affects all versions of MS Office.

Detonating this malicious code is as simple as opening up an infected Word document —even in preview mode and with Macros disabled.

We strongly advise you don’t click on any attachments you are not expecting to receive!

Further (technical) details can be found here:

We continue to monitor the situation and will provide further guidance/updates as necessary.

New Zoom vulnerability could allow attackers in by just sending a message

The video conferencing application Zoom has had several vulnerabilities resolved in the past. As a result of this, this has allowed attackers to utilise a ‘Downgrade attack’. To allow the running of arbitrary code, this could provide access to all conference members during this call.

There are four current known vulnerabilities which are:

  • CVE-2022-22784 (CVSS score: 8.1) – Improper XML Parsing in Zoom Client for Meetings
  • CVE-2022-22785 (CVSS score: 5.9) – Improperly constrained session cookies in Zoom Client for Meetings
  • CVE-2022-22786 (CVSS score: 7.5) – Update package downgrade in Zoom Client for Meetings for Windows
  • CVE-2022-22787 (CVSS score: 5.9) – Insufficient hostname validation during server switch in Zoom Client for Meetings

Users of Zoom are strongly advised to update to the latest version (5.10.0) if not already. This patch has mitigated the potential threats arising from the active exploitation of the flaws.

Malicious keylogger “snake” is being spread through PDF documents

Attackers are utilising a 22-year-old Office Remote Code Execution bug. The attack works on a phishing attempt with an attached PDF file that, if clicked on, the user is prompted to open a .docx (Word Document) file. This .docx file then connects to a website to download a Rich Text File document called ‘f_document_shp.doc’.

This document exploits a vulnerability over four years old remote code execution (RCE) using Equation Editor. This is an application installed by default with an office suite used to insert and edit complex equations.

The final stage of the attack runs code that is disguised from the user and encrypted to avoid discovery. This code is then decrypted and run in the keylogger called fresh.exe.

This process sends all your credentials, data and other sensitive information back to the attacker in plain text.

Because of this vulnerability, we strongly advise that all users stay up to date with security patches issued by Microsoft. We also recommend educating your staff about phishing emails and cyber attacks and what to do if/when they receive one.

Cyber attack targeting the Port of London Authority website

The port of London Authority was targeted by a DDoS attack which is believed to be politically motivated.

The group ALtahrea Team have claimed responsibility for the attack on the website, tweeting about how the attack was politically motivated and claiming responsibility. The episode is believed to have taken place on the 24th of May 2022 and resulted in the website being inaccessible for the duration of the attack.

The website is now back online and is utilising a DDoS protection wall to mitigate further attacks.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.