Hello there! This is the first edition of my weekly report on the most interesting IT security news. It will be published every Friday or Saturday. Please note that this is a hobby blog by an apprentice. I can’t cover all relevant vulnerabilities. Feel free to use additional sources and consider this as hopefully engaging additional information.
WhatsApp Desktop on Windows as an Entry Point
This week, Microsoft released a report detailing a campaign in which attackers used WhatsApp as an entry point for attacks, primarily targeting users of the WhatsApp Desktop App for Windows.
The attackers sent VBS files to victims, which, upon execution, create hidden folders in C:\ProgramData. These folders contain legitimate Windows tools that are renamed e.g., curl.exe becomes netapi.dll. In the next phase, these tools download additional droppers, some of which are humorously named WinUpdate_KB5034231.vbs and loaded from cloud services like Amazon S3. This makes the network traffic appear legitimate and undetectable to regular users.
The downloaded malware disables UAC prompts and repeatedly attempts to launch CMD with elevated privileges until successful or the process terminates. It also writes to registry entries to ensure persistence after a reboot.
In the final step, unsigned MSI installers are downloaded to install remote administration tools. This grants attackers access to data or integrates the client into a botnet.
Sources: - Heise
Attacks Exploiting Already Patched Vulnerabilities in Fortinet ESM
In February, Fortinet patched a vulnerability in their Endpoint Management Server "FortiClient EMS". Now, security researchers have observed attacks exploiting this flaw.
In version 7.4.4, attackers could execute SQL statements via a modified HTTP header, turning the security-focused server into a weak point. The issue was resolved in version 7.4.5 and did not affect any other versions, according to Fortinet. Defused identified over 1,000 accessible and potentially vulnerable instances.
Sources: - Defused on LinkedIn - Heise
Additional Supply Chain Attacks on NPM: axios
There has been another supply chain attack on an NPM package this time targeting the HTTP client axios. It is suspected that a North Korean hacking group took over the maintainer's account and injected malicious code into version 1.14.1, distributing it to users.
The malware installs backdoors on Windows, macOS, and Linux, allowing attackers to install further malware or execute commands via a C2 server. Version 1.14.1 is no longer available on NPM, and the maintainer has regained control of the package.
Sources: - Heise
This is the first edition of my weekly report, so it’s not as extensive as it could be. I’ll put more effort into it next week! I hope you found it engaging.