In recent revelations, Akamai security researcher Ben Barnea has shed light on two previously patched vulnerabilities in Microsoft Windows that, when exploited together, could allow threat actors to execute remote code on the Outlook email service without any user interaction.
The Vulnerabilities in Question:
- CVE-2023-35384 (CVSS score: 5.4) – Windows HTML Platforms Security Feature Bypass Vulnerability
- CVE-2023-36710 (CVSS score: 7.8) – Windows Media Foundation Core Remote Code Execution Vulnerability
The security community has raised eyebrows as APT29, a Russian threat actor, has actively weaponized CVE-2023-35384, exploiting it to gain unauthorized access to victims’ accounts within Exchange servers.
Technical Insight: How the Exploits Work
CVE-2023-35384 revolves around a security feature bypass vulnerability in the MSHTML platform, triggered by the parsing of a path through the MapUrlToZone function.
This flaw allows an attacker to manipulate the client into accessing a URL in a less restricted Internet Security Zone, potentially leading to NTLM credential leaks.
This vulnerability can be coupled with CVE-2023-36710, which affects the Audio Compression Manager (ACM) component. It stems from an integer overflow vulnerability when playing a WAV file, particularly when utilizing the IMA ADP codec.
Barnea notes that triggering this flaw requires a hefty 1.8 GB file size, emphasizing the potential severity.
Evolution of Rhadamanthys Malware: A Deeper Dive into its Threat Landscape
In a recent analysis, cybersecurity experts at Check Point have uncovered that the developers behind the information stealer malware, Rhadamanthys, are actively enhancing its capabilities, expanding its information-gathering prowess, and introducing a plugin system for increased customization.
Dynamic Enhancements for Targeted Threats
This strategic approach not only transforms Rhadamanthys into a threat capable of meeting specific distributor needs but also amplifies its potency, as CheckPoint emphasizes in its technical deep-dive report.
This evolution aligns with a broader trend in the malware landscape, where adaptability and a strong brand are becoming pivotal factors.
Feature Set
The malware, now at version 0.5.2, showcases an advanced feature set. Versions 0.5.0 and 0.5.1 introduce a new plugin system, making Rhadamanthys akin to a Swiss Army knife.
This modularization allows malicious actors to customize the malware, deploying additional tools tailored to their specific targets.
Powerful Capabilities
Rhadamanthys includes both active and passive components. The active components can open processes and inject payloads, facilitating information theft, while passive components search and parse specific files to retrieve saved credentials.
Lua script runner is employed to load up to 100 Lua scripts, maximizing the plundering of information from various sources, including cryptocurrency wallets, email agents, FTP services, note-taking apps, instant messengers, VPNs, two-factor authentication apps, and password managers.
What is the Forward Step?
Hasherezade, a security researcher, comments on the evolving nature of Rhadamanthys, stating,
“The added features, such as a keylogger, and collecting information about the system, are also a step towards making it a general-purpose spyware.”
This emphasizes the malware’s progression from a simple stealer to a multifaceted threat with a broader espionage capability.
Security experts emphasize the critical need for micro-segmentation to block outgoing SMB connections to remote public IP addresses, mitigating the risk of exploitation.
Disabling NTLM or adding users to the Protected Users security group is also recommended to prevent NTLM use as an authentication mechanism.
In light of these revelations, organizations are urged to stay vigilant, implement the necessary mitigations, and consider the broader implications of these vulnerabilities on their cybersecurity posture.
Anas Hasan
December 20, 2023
5 months ago
