Issue 23: Void Banshee Targets Microsoft Vulnerability, 15 Million Trello Email Addresses Leaked and SEG URL Exploits

Top Stories 19 July 2024:

1. Void Banshee Exploits Microsoft MHTML Vulnerability to Deliver Atlantida Stealer
2. 15 Million Trello Email Addresses Leaked Through Unsecured API
3. Threat Actors Intensify Use of Encoded URLs to Evade Secure Email Filters

Void Banshee Exploits Microsoft MHTML Vulnerability to Deliver Atlantida Stealer

Cybersecurity firm Trend Micro has reported that the advanced persistent threat (APT) group Void Banshee is exploiting a newly disclosed vulnerability in Microsoft's MHTML browser engine (CVE-2024-38112) to deploy the Atlantida information stealer. This activity was first observed in mid-May 2024.

How It Works:

• Vulnerability Details: Microsoft recently patched CVE-2024-38112, initially described by Microsoft as a spoofing flaw but categorized by the Zero Day Initiative (ZDI) as a remote code execution flaw.
• Attack Method: Void Banshee uses specially crafted internet shortcut (URL) files distributed via spear-phishing emails. These files exploit the vulnerability to redirect victims to a compromised website hosting an HTA file.
• Execution Chain: When the HTA file is opened, it triggers a Visual Basic Script (VBS) that downloads and executes a PowerShell script. This script then deploys a .NET trojan loader, which utilizes Donut shellcode to execute the Atlantida information stealer within the RegAsm.exe process memory.

Atlantida, influenced by open-source stealers like NecroStealer and PredatorTheStealer, extracts files, screenshots, geolocation data, and sensitive information from web browsers, Telegram, Steam, FileZilla, and cryptocurrency wallets. This exploitation method is similar to CVE-2021-40444, another MSHTML vulnerability used in previous zero-day attacks.

Void Banshee, known for targeting regions in North America, Europe, and Southeast Asia for information theft and financial gain, has adapted quickly to incorporating proof-of-concept (PoC) exploits, often within minutes of their public release.

Immediately apply Microsoft's patch for CVE-2024-38112 to mitigate exploitation risks. Restrict executable content to further improve email security.

TLDR;

• Void Banshee is exploiting CVE-2024-38112 in Microsoft's MHTML browser engine to deploy the Atlantida information stealer via spear-phishing emails.
• It uses URL files to exploit the vulnerability, redirecting victims to a site that downloads a script, which then executes a trojan to deploy Atlantida, stealing sensitive information from various applications.
• Void Banshee targets North America, Europe, and Southeast Asia for information theft, adapting quickly to new PoC exploits to carry out attacks for financial gain.

15 Million Trello Email Addresses Leaked Through Unsecured API

A threat actor has leaked over 15 million email addresses associated with Trello accounts, obtained using an unsecured API in January 2024. Trello, owned by Atlassian, is a popular project management tool. In January, BleepingComputer reported that a hacker named 'emo' was selling profiles of 15,115,516 Trello members on a hacking forum. Although most data in these profiles was public, the profiles included non-public email addresses.

The data was collected via an unsecured REST API that allowed anyone to query public information about a profile using Trello ID, username, or email address. Emo compiled a list of 500 million email addresses, fed it into the API, and created profiles for over 15 million users. Recently, emo shared the entire list on the Breached hacking forum for $2.32.

The exposed data includes email addresses and public Trello account information, such as the user’s full name. This information can be used in targeted phishing attacks and for doxxing. Atlassian confirmed the data was collected through a Trello REST API that has since been secured.

Unsecured APIs are increasingly targeted by threat actors to link non-public information with public profiles. In 2021, an API was exploited to link phone numbers to Facebook accounts, affecting 533 million users. In 2022, Twitter suffered a similar breach, and more recently, an unsecured Twilio API exposed phone numbers of 33 million Authy app users.

Secure API's and perform regular audits to identify vulnerabilities and monitor suspicious traffic, as well as incorporate strict access controls to limit and monitor the users who can configure and modify API data.

TLDR;

• Over 15 million Trello email addresses were leaked via an unsecured API, with profiles sold on a hacking forum, exposing both non-public emails and public account details.
• A hacker named 'emo' exploited Trello's REST API to create profiles from 500 million email addresses, sharing the data on the Breached forum for $2.32 before Atlassian secured the API.
• Recent breaches in Trello, Facebook, Twitter, and Twilio show that unsecured APIs are increasingly exploited by threat actors, exposing millions of users' information for phishing and doxxing.

Threat Actors Intensify Use of Encoded URLs to Evade Secure Email Filters

Secure email gateways (SEGs) are designed to protect organisations from malware, spam, and phishing. However, threat actors have found a way to exploit these systems by encoding or rewriting malicious URLs in emails. Security researchers from Cofense have observed a rise in such attacks, where SEGs allow these encoded URLs to pass through without proper vetting.

The issue, according to Max Gannon, threat intelligence manager at Cofense, is that some SEG products do not handle SEG-encoded URLs properly, often assuming them to be safe. This assumption may stem from either implicit trust in the URLs or from the scanning process trusting the domain of the SEG that encoded the URL.

SEG encoding involves rewriting URLs in outgoing emails to point to the SEG's own infrastructure. When a recipient clicks on the encoded link, the user is directed to the sender's SEG system, which checks the URL's safety before redirecting the user. These checks involve assessing the URL using reputation, blacklists, and signatures. However, this process can take days or even weeks, allowing malicious URLs to remain undetected and accessible in the meantime.

We recommend implementing improved URL scanning that does not solely rely on the domain of the encoding SEG. Monitor traffic from new or untrusted domains. Ensure employee training includes education on the risks of clicking on suspicious URLs.

TLDR;

• Secure email gateways (SEGs) are being exploited by threat actors encoding malicious URLs, bypassing proper vetting.
• Some SEGs fail to handle encoded URLs correctly, trusting them implicitly and allowing malicious links to pass through unchecked.
• SEG encoding rewrites URLs to point to SEG infrastructure for safety checks, but delays in this process can leave malicious URLs undetected for days or weeks.

Resource of the week

Here's a little something you might be interested in...

? Sign me up: Webinar - Fireside Chat with the Experts: Mastering Your Cybersecurity Strategy | Codestone

That's all folks!

Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Ed Bailey (SOC Analyst).

If you like what you've read, subscribe so you don't miss next week's roundup!