JPCERT warns of new ‘MalDoc in PDF’ attack technique

SISA Weekly Threat Watch - 04 September 2023

The digital threat landscape has seen an increase in sophisticated attacks and unique approaches used by threat actors in the last week. Recent developments, such as the Lazarus Group’s Zoho ManageEngine attack and the emergence of Flax Typhoon, as well as Kroll’s data breach, “MalDoc in PDF” technique, and critical Juniper Junos OS flaws, demonstrate threat actors’ ingenuity. As threat actors’ strategies grow, so does the need for vigilance and proactive defense against ever-changing cyber threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Microsoft: Stealthy Flax Typhoon hackers use LOLBins to evade detection

Microsoft discovered a new hacking group it is now tracking as Flax Typhoon, which targets enterprises in education, critical manufacturing, and information technology with the likely intention of espionage. Flax Typhoon initially obtained access by taking use of known security flaws in servers that are accessible to the general public, including VPN, web, Java, and SQL applications. China Chopper, a small (4KB) yet potent web shell with the ability to execute code remotely, was dropped by the hackers.

Once inside a network, Flax Typhoon operators use command-line tools to establish persistent access over the remote desktop protocol and deploy a VPN connection to bad actor-controlled network infrastructure to collect credentials from compromised systems. The hackers use Windows Remote Management (WinRM), WMIC, and other LOLBins for lateral movement. To stay protected, it is recommended to apply the latest security updates to internet-exposed endpoints and public-facing servers, and multi-factor authentication (MFA) should be enabled on all accounts. Additionally, ensure that Windows systems are kept updated with the latest security patches.

2. Lazarus Group exploits Zoho ManageEngine flaw, deploys QuiteRAT malware

The Lazarus Group leveraged a critical security vulnerability in Zoho ManageEngine ServiceDesk Plus, specifically identified as CVE-2022-47966. This exploitation occurred only five days post the emergence of its proof-of-concept online. The malevolent actors used this flaw to directly deploy the QuiteRAT binary from a malicious URL. QuiteRAT is a sophisticated malware developed on the Qt framework, which contributes to the complexity of its code, making analysis considerably challenging.

Researchers noted a significant shift in the Lazarus Group’s approach. Instead of predominantly using their tools post-compromise, they now increasingly rely on open-source tools and frameworks even during the initial access phase of their operations. Historically, the Lazarus Group favored custom-built implants such as MagicRAT, VSingle, Dtrack, and YamaBot to establish initial access on compromised systems. Organizations need to remain vigilant, keeping their systems patched and adopting proactive detection and defense mechanisms to counter such advanced persistent threats.

3. Kroll suffers data breach after SIM swapping attack

Major risk and financial advisory firm, Kroll, has confirmed that certain files with personal data belonging to the bankruptcy credit claimants of BlockFi, FTX, and Genesis Global Holdco have been compromised following a successful SIM swapping attack against one of its employees. While normally a harmless practice, SIM swapping (also known as SIM splitting or simjacking) could be used by threat actors to fraudulently activate a SIM card in their possession with a victim’s phone number. This enables the interception of voice calls, SMS messages, and MFA-related messages that manage access to online accounts.

The incident, which took place on August 19, 2023, targeted the employee’s T-Mobile account. T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor’s phone at their request. U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) has urged telecommunications providers to employ stronger security protocols to prevent SIM swapping by providing options for customers to lock their accounts and enforcing stringent identity verification checks. To avoid being a victim to such attacks, use Port Freeze or Number Lock to protect your mobile number and use mobile apps and services that support two-factor biometrics.

4. Polyglot deception: Malicious Word documents concealed in PDF files

Japan’s computer emergency response team (JPCERT) has discovered a new cyberattack method called “MalDoc in PDF.” In this technique, malicious Word documents are embedded inside PDF files, creating a “polyglot.”. Scanning tools and applications, which typically recognize and treat the file as a PDF, are tricked into ignoring the malicious Word document concealed within.

When a user opens the file in a Microsoft Office application, however, the Word document becomes accessible. This document contains a Visual Basic Script (VBS) macro designed to trigger the download and installation of an MSI malware file upon opening. One of the primary advantages of using this technique is its ability to bypass traditional PDF analysis tools which examine only the outer layer of the file. This makes the malicious code embedded within the Word document largely invisible to standard scanning processes. To protect your system from being compromised, it is recommended to use multiple layers of security tools, ensure that Microsoft Office settings are configured to disable the auto-execution of macros and educate users about the risks of opening untrusted files.

5. Juniper Junos OS flaws expose devices to remote attacks

Juniper Networks, a networking hardware firm, recently released an “out-of-cycle” security update to fix several bugs in the J-Web part of Junos OS that when combined allow remote code execution on vulnerable installations. Multiple reports now claim that these Juniper firewall security flaws are currently being actively exploited in the wild. The four vulnerabilities have a cumulative CVSS rating of 9.8, making them Critical in severity.

By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices. To successfully attack the problems, a threat actor could send a specially constructed request to change specific PHP environment variables or upload any file via J-Web without any authentication. Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks suggests that users either disable J-Web or limit access to only trusted hosts.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider