Weekly Top 10: 11.18.2024: Microsoft Exchange Adds Warning to Emails Abusing Spoofing Flaw; Evasive ZIP Concatenation: Trojan Targets Windows Users; Microsoft November 2024 Patch Tuesday Fixes 4 Zero-Days, 89 Flaws, and More.

WEEKLY TOP TEN: November 18, 2024, 16:00 GMT

1. Microsoft Exchange Adds Warning to Emails Abusing Spoofing Flaw
   
   Attackers can send spoofed emails to Exchange servers 2016 and 2019. The issue is that email providers do not comply with RFC standards and allow for illegal symbols in the sender’s email. An attacker simply needs to edit their P2 FROM header to include a second email wrapped in angle brackets. The Exchange server will then read this as the original email, showing that it was sent from whatever email the attacker decides to use. Microsoft has pushed an update that will warn end users when suspicious emails have been received, but the core issue has not yet been fixed.
2. APT Actors Embed Malware Within macOS Flutter Applications
   
   Researchers at Jamf Threat Labs have discovered new malware built with Flutter that is attributed to North Korean threat actors. Flutter’s architecture is complicated and allows for natural obfuscation due to how it loads libraries. The malicious application appears to be a minesweeper game that runs on MacOS. When ran, the app will call out to a DPRK domain with a GET request; this will return malicious AppleScript code that is executed. There were two other variants seen, coded in Golang and Python. While these applications were initially signed by Apple, their notarization was eventually revoked.
3. Evasive ZIP Concatenation: Trojan Targets Windows Users
   
   Threat actors have been observed using concatenated ZIP files to evade detection. This technique involves appending multiple ZIP files together, which results in multiple central directories that different archive tools handle uniquely. When analyzing a concatenated ZIP, 7zip will only show the first archive and its contents, while WinRAR shows the second archive. This has been seen in the wild with a recent phishing campaign that distributed a malicious executable masquerading as shipping documents.
   
   The attachment appeared as a RAR file but was actually a concatenated ZIP; when opened with 7zip it showed a benign PDF, but when opened with WinRAR it revealed the malicious executable. While 7zip developers are aware of this behavior, they consider it intended functionality, meaning this technique will likely continue to be abused.
4. Google says “Enhanced protection” feature in Chrome now uses AI
   
   Google has updated its description of Chrome’s security features noting that it is now powered by AI. While Google has not clarified how they are using AI in this feature, they are likely sending data from the page to an LLM to analyze the backend contents. Additionally, they are now using AI for tab organization with the label stating, “Group tabs with AI”. These AI features could be a security risk as AI is still growing and vulnerable to prompt injection and poisoning. An attacker could potentially craft specific inputs that manipulate the AI’s decision-making process, causing it to misclassify malicious content as safe or vice versa.
5. Palo Alto Networks Warns of Critical RCE Zero-Day Exploited in Attacks
   
   A critical zero-day vulnerability in Palo Alto Networks’ Next-Generation Firewalls (PAN-SA-2024-0015) is now being actively exploited in the wild. The vulnerability allows for unauthenticated remote code execution against management interfaces that are exposed to the internet. An attacker can send a crafted request to gain control of the firewall, allowing them to modify rules or disable security features. While Palo Alto has not released a patch yet, they recommend blocking all internet access to the management interface and only allowing trusted internal IPs. Shodan scans show that over 11,000 management interfaces are currently exposed to the internet, with most of them being in the United States.
6. Glove Stealer: Leveraging IElevator to Bypass App-Bound Encryption & Steal Sensitive Data
   
   A new information stealer called Glove Stealer has been observed in the wild, using social engineering tactics to infect users. The malware is distributed through phishing emails that trick users into copying and executing malicious PowerShell commands. Once executed, Glove steals sensitive data from browsers, cryptocurrency wallets, and 2FA authenticators.
   
   This malware is particularly interesting due to its ability to bypass Chrome’s new App-Bound Encryption using the IElevator service. The stealer works by downloading a supporting module that must be placed in Chrome’s Program Files directory, requiring admin privileges to successfully steal Chrome data. After collecting data, Glove encrypts and exfiltrates it to the attacker’s C2 server.
7. ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI
   
   Researchers at Palo Alto’s Unit 42 have discovered two critical vulnerabilities in Google’s Vertex AI platform. The first vulnerability allows privilege escalation through custom jobs. An attacker with custom job permissions could gain unauthorized access to all data services in the project. The second, more concerning vulnerability involves deploying a malicious model that can exfiltrate other models in the environment. Once deployed, the malicious model runs with the custom-online-prediction service account, which has read permissions to access all deployed models, including sensitive ML models and LLM fine-tuning adapters. This means an attacker could steal proprietary model data by simply having their malicious model deployed in the environment. Both vulnerabilities have been fixed by Google.
8. GoIssue – The Tool Behind Recent GitHub Phishing Attacks
   
   A new tool named GoIssue has been discovered by researchers from SlashNet. The tool allows attackers to scrape GitHub profiles for email addresses and send targeted phishing emails that bypass spam filters. GoIssue is concerning due to its connection to the GitLoker extortion campaign. GoIssue can send fake phishing emails that appear to be legitimate GitHub messages. These emails can trick devs into either entering their credentials on a phishing page or authorizing malicious OAuth apps, potentially resulting in repository hijacking and source code theft.
9. Microsoft November 2024 Patch Tuesday Fixes 4 Zero-Days, 89 Flaws
   
   Microsoft has released their November Patch Tuesday, fixing 89 vulnerabilities including four zero-days. Two of the zero-days were actively exploited: CVE-2024-43451, which allows attackers to steal NTLM hashes through minimal user interaction, and CVE-2024-49039, a Windows Task Scheduler vulnerability that allows privilege escalation. This month’s update also includes fixes for 52 Remote Code Execution vulnerabilities, 26 Elevation of Privilege flaws, and the critical Exchange server vulnerability that was covered earlier.
10. New PXA Stealer Targets Government and Education Sectors for Sensitive Information
    
    A new information stealer named PXA has been discovered targeting government and education sectors in Europe and Asia. Written in Python, the malware steals sensitive data including browser credentials, cookies, VPN configurations, and cryptocurrency wallets. PXA has advanced capabilities such as decrypting browser master passwords to access stored credentials. The malware is being distributed through phishing emails and hosted on a compromised Vietnamese domain. After stealing data, PXA bundles it into a ZIP file and exfiltrates it via Telegram bots.