The talk, titled "You're Muted and Rooted," detailed the successful exploitation of a macOS auto-update security vulnerability within the popular Zoom video conferencing application. While attending the DEFCON 30 hacking and cybersecurity conference, CTIX analysts had the privilege of attending a talk given by macOS security researcher Patrick Wardle. CTIX continues to monitor the Russia/Ukraine conflict and will advise on future cyber threats and developments as they become available.Ĭritical Vulnerability in macOS Zoom Installer Allows for Escalation of Local Privileges While the Russia/Ukraine conflict has shaken the world on the battlefield, Geers stated: "We have seen attacks in every domain: military, political, diplomatic, business, critical infrastructure, social media, etc.". Other instances show significant use of distributed denial-of-service (DDoS) attacks against Ukrainian government websites, ATM machines, banks, and several other critical assets to ensue panic into Ukrainian citizens. In 2015, Russian threat actors targeted a section of the Ukrainian power grid and knocked out power services for around six (6) hours this was followed by a similar attack a year later. While the invasion of Ukraine sparked the start of the conflict, these attacks have been observed several years prior. Geers highlighted how threat actors have continuously targeted Ukrainian assets through relentless cyberattacks against communications systems, exploiting power grids, compromising financial institutions, and conducting mass text campaigns with the goal of striking fear into the Ukranian population. Since the February invasion of Ukraine, there have been over 300 confirmed cyberattacks with no sign of slowing down in the coming months. Russia/Ukraine Conflict: Cyberwar Rages Onĭuring DEFCON 30, CTIX analysts observed a presentation from security specialist Kenneth Geers on the escalation of the Russia/Ukraine war and how threat actors are escalating their attacks against Ukraine and those assisting the country. CTIX analysts recommend that defenders become familiar with RPA tools such as Power Automate and their potential to be used maliciously in order to better defend against attacks abusing RPA software. Additional details can be found in Michael Bargury's GitHub and a video of the talk will be posted on YouTube in the coming weeks. Bargury developed a framework dubbed "Power Pwn" which assists red teams in conducting these attacks. While these types of attacks leave traces such as log data on the victim machine, Power Automate can be leveraged by the threat actor to clean up after themselves. The example Bargury provided is a no-code ransomware that encrypts files with AES using a custom key. With that said, there are many features of Power Automate that could be exploited in the trusted environment. This was due to the script leaving the trusted Power Automate platform to run commands through the untrusted command prompt. There were some issues presented with this, however, as Windows Defender Antivirus identified the code execution attempt and prevented it. In the next example, Bargury demonstrated how code execution is possible through Power Automate. This is conducted without writing any code and instead uses a block coding system similar to Scratch. He did this by using three (3) simple steps: checking if the desired file exists, reading the text from the file, and storing it in the cloud. The researcher began demonstrating the power of this method with a simple example, exfiltrating data to the cloud. He then showed the process of creating a flow by triggering it from the cloud, setting up a connection to the end-user machine, and distributing a payload. Bargury demonstrated this by registering a victim machine to his own Azure Active Directory tenant. This is done by building custom scripts through Microsoft, which "ensures they are distributed to all user machines or Office Cloud, executed successfully and reports back to the cloud." In essence, Power Automate can be used to power malware operations. Bargury explained a feature included by default in Windows 11 called "Power Automate", which is robotic process automation (RPA) software that allows users to automate tedious processes. Michael Bargury, the co-founder and CTO of Zenity.io, presented "No-Code Malware: Windows 11 At Your Service" at DEFCON 30 which immediately caught the attention of CTIX analysts. Windows 11 Default Feature Could Allow the Inception of No-Code Malware
0 Comments
Leave a Reply. |