Indicateurs de compromission (IOCs) identifiés
Rapports de compromission identifiés (regroupement d’IoCs)
HIGHLIGHT OF THE MONTH
In early December 2022, Microsoft released its latest batch of updates for 2022. Among the various patches was one for the vulnerability with the identifier CVE-2022-44698 whose description reads “Bypass of the Windows SmartScreen security feature” and having a CVSSv3 score of 5.4 (Medium).
In order to understand the relevance of this vulnerability from a threat actor’s point of view, it is necessary to recall some points: SmartScreen, in the first place, is a Windows feature that aims to alert a user in case he/she visits a potentially malicious site, or downloads an untrusted file. Among the criteria used is the “Mark-of-the-Web” (motw) which is the subject of a more detailed definition this month.
The vulnerability in question here allows the protections implemented by Windows SmartScreen to be bypassed without any other prerequisite than having a user interact with a malicious site. The objective from an attacker’s point of view is obviously not to alert a potential victim about the dangerousness of his action.
This vulnerability has been added on January 1st by CISA (Cybersecurity & Infrastructure Security Agency) to its list of actively exploited vulnerabilities. Indeed, the exploitation of CVE-2022-44698 had already been observed in October 2022 during a phishing campaign aimed at distributing the Magniber ransomware. More recently, last month, a QBot distribution campaign was identified also using this technique.
DEFINITION OF THE MONTH
The Mark-of-the-Web is a code associated with any file downloaded from the Internet for security purposes in Windows. It is not a code that is present directly in the file but rather an Alternate Data Stream that is associated with it in the Windows file system (NTFS). As a result, the integrity of the file is not affected, so the same file, whether it comes from the Internet or not, has the same checksum. The idea behind this mark is to indicate to the application opening the file that it is from the Internet, potentially from an insecure source.
Internet Explorer browser originally added the comment `<!–saved from url=>` to the beginning of saved web pages. This now allows browsers, among other things, to prevent Java scripts or applets from being executed when they are opened. This practice has now been extended to files.
More in line with current events, Microsoft applications now block the execution of macros in Office files downloaded from the Internet, which are often used by cybercriminals as an attack vector, an aspect already mentioned in our barometer last September.
ABOUT THE CYBER THREATS BAROMETER
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.
Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.