CWN #19 - 2023 Week 51
The week stories about malicious OAuth apps, too much fuss about the Autospill vulnerability, SMTP smuggling, a new RCE in Outlook...
Abuse of OAuth applications
Microsoft has shed light on the increasing exploitation of OAuth applications by threat actors (specifically Storm-186 and Storm-183) to automate financially driven attacks, leveraging compromised user accounts to create, modify, and grant high privileges to these applications. The reported malicious activities range from business email compromise (BEC), phishing to cryptocurrency mining.
Vulnerabilities and Impact
This misuse of OAuth applications poses significant risks because they allow an easy persistence even if the threat actor lose access to the initially compromised account and these accesses are not monitored nor reviewed often. The financial impact on targeted organizations can range from thousands to millions of dollars.
A few common vulnerabilities in OAuth applications:
- Improper implementation of the Implicit Grant type and Scope validation: This can lead to direct unauthorized access to user data.
- Misconfigured CSRF Protection: Inadequate Cross-Site Request Forgery (CSRF) protection can be exploited to perform unauthorized actions on behalf of the user.
- Leaking Authorization Codes and Access Tokens: Codes and tokens can be exploited to access other resources.
Mitigation & Detection
To mitigate the risks associated with the misuse of OAuth applications, Microsoft recommends the following:
- "Verify User Registration: User registrations to OAuth applications must be controlled or even blocked."
- "Implement Multi-Factor Authentication (MFA): Enabling MFA can significantly reduce vulnerability to OAuth-based attacks by preventing credential stuffing and phishing attacks."
- "Enable Conditional Access Policies: Organizations should implement policies for User and Sign-in Risk, device compliance, and trusted IP address requirements to protect against attacks that leverage stolen credentials."
- “Secure the Identity Infrastructure” contains very broad but efficient and standard measures. 3 highlights : they finally state that policies for password complexity and expiration should now be avoided, legacy authentication and unknown entry points must be blocked (aka manage the lifecycle and know your assets). All the recommendations: https://learn.microsoft.com/en-gb/azure/security/fundamentals/steps-secure-identity#audit-apps-and-consented-permissions?ocid=magicti_ta_learndoc
Ok, you tried to put some mitigations in place. If they aren’t enough, what’s next ? Detection !
If you have access to it, the simplest approach is to use Microsoft Defender for Cloud Apps: it’ll detect malicious OAuth applications that engage in sensitive administrative activities and provide enhanced visibility. If not, you’ll have to dig in the Unified Audit log to hunt for user consents, suspicious IP and applications with broad combo rights “user.read; mail.readwrite; email; profile; openid; mail.send”.
All these attacks were possible due to compromised credentials, so while it’s key to detect these malicious OAuth apps, mitigating compromised credentials almost instantly will always be way more efficient…
📰 https://www.mandiant.com/resources/blog/shining-a-light-on-oauth-abuse-with-pwnauth
Autospill vulnerability
The "AutoSpill" vulnerability, discovered by researchers at the International Institute of Information Technology at Hyderabad, poses a risk to users of Android password managers. This vulnerability can lead to the exposure of saved credentials when a credential stored in a password manager is auto-filled into an app installed on the device. The threat is not limited to a specific app and can affect 1Password, LastPass...
The researchers presented their findings at the Black Hat security conference in London, highlighting the potential for credential leakage, even when JavaScript injection is disabled. While the vulnerability is real, its impact is more limited and easier to contain as only very few specific scenarios are outlined for now:
- third-party app allows users to log in to one account using credentials for a different account
- loading WebView content from a site of a bank or another service the user has an account with
In both cases, it means you allow your Google and/or bank account to be auto-filled into MyFunApp2025…
The researchers responsible for identifying AutoSpill have proposed countermeasures to address the root causes of the vulnerability and have disclosed their findings to the affected password managers and the Android security team, with very mixed responses: So far, Google has not indicated that it will change the behavior of the Android autofill engine. Some makers of password managers—among them 1Password and Dashlane—say they have either issued fixes or plan to do so. Others have indicated that they have no such plans.
Please continue to use your password manager, but take care of where you allow it to fill your passwords…
🧠 Research https://drive.google.com/file/d/1KdZH0ELp3Tmbwy8CCA2u_hTBlfmVBgFc/view?usp=sharing
Persistence with .LNK
A good step by step example for creating persistence with .LNK files, a technique used by APT28, APT29, Kimsuky and referenced as T1204.001 in MITRE ATT&CK.
⚙️ https://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html
SMTP smuggling
Timo Longin discovered, in collaboration with the SEC Consult Vulnerability Lab, a technique called SMTP smuggling. It exploits interpretation differences in the SMTP protocol to send spoofed emails while still passing SPF alignment checks. This vulnerability could be abused to send malicious emails from arbitrary email addresses, enabling targeted phishing attacks. The research uncovered two types of SMTP smuggling: outbound and inbound, which allowed the sending of spoofed emails from millions of domains to millions of receiving SMTP servers. Multiple zero-day vulnerabilities were discovered, and various vendors were notified during responsible disclosure in 2023 (to date, Cisco ESA still need to be reconfigured manually to prevent this attack).
🧠 https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Achieving RCE in Outlook
A two part research by Akamaï, started by attempts at bypassing previous vulnerabilities linked to MapUrlToZone functions and ending (for now) in the discovery of CVE-2023-29324 and CVE-2023-35384 !
🧠 https://www.akamai.com/blog/security-research/chaining-vulnerabilities-to-achieve-rce-part-one
🧠 https://www.akamai.com/blog/security-research/chaining-vulnerabilities-to-achieve-rce-part-two
Blackcat disrupted
The FBI has disrupted the BlackCat/ALPHV ransomware operation and developed a decryption tool to assist victims. The ransomware gang's websites ceased functioning after the FBI's operation. But ALPHV briefly retook control of its website after the takedown, then the FBI quickly regained access to the domain. This action has helped 500 victims recover their files for free, saving an estimated $68 million.
Windows Protected Print Mode !
Microsoft has introduced a new Windows Protected Print Mode (WPP) to enhance the security of the Windows print system. WPP builds on the existing IPP print stack, only supporting Mopria certified printers, and disabling the ability to load third-party drivers. The goal is to mitigate vulnerabilities like PrintNightmare and provide a more secure default configuration. The WPP is currently in Insider builds.
It will be interesting to get some data from Microsoft to measure the adoption rate, this organizations “compatible” with this secure defaults…