Qualys Archives

Tech Optimizer

October 18, 2024

Hackers Abuse EDRSilencer Tool to Bypass Security and Hide Malicious Activity

Threat actors are increasingly using the open-source tool EDRSilencer to evade endpoint detection and response (EDR) solutions. EDRSilencer, inspired by MDSec's NightHawk FireBlock, obstructs outbound traffic from active EDR processes by utilizing the Windows Filtering Platform (WFP). It can terminate processes associated with various EDR products, including those from Microsoft, Elastic, Trellix, and Qualys. By employing EDRSilencer, malicious actors aim to render EDR software ineffective, complicating malware identification and removal. The tool dynamically identifies active EDR processes and establishes persistent filters to inhibit their outbound communications, preventing security software from transmitting telemetry data. This tactic enhances the likelihood of successful attacks without detection. Additionally, ransomware groups are utilizing advanced EDR-killing tools like AuKill and EDRKillShifter, which exploit vulnerable drivers to escalate privileges and terminate security processes, showcasing a sophisticated approach to evading detection. EDRKillShifter employs advanced persistence mechanisms to maintain its presence within a system and disrupt security processes in real-time.

Winsage

September 18, 2024

‘Void Banshee’ Exploits Second Microsoft Zero-Day

Microsoft has reclassified a bug from its September Patch Tuesday update as a zero-day vulnerability, designated CVE-2024-43461, which has been exploited by the threat group "Void Banshee" since before July. This vulnerability affects all supported versions of Windows and allows remote attackers to execute arbitrary code if a victim visits a malicious webpage or clicks an unsafe link. Initially rated 8.8 on the CVSS scale, Microsoft revised its assessment after discovering active exploitation linked to another vulnerability, CVE-2024-38112, which was patched in July 2024. To protect against CVE-2024-43461, Microsoft recommends applying patches from both the July and September updates. CISA added this flaw to its known exploited vulnerabilities database, setting an implementation deadline of October 7 for federal agencies. The vulnerability enables attackers to manipulate browser interfaces and has been used by Void Banshee to deploy Atlantida malware through deceptive files. The coordinated attack chain involving CVE-2024-43461 and CVE-2024-38112 exploits the legacy MSHTML engine, which remains in Windows for compatibility. A study indicated that over 10% of Windows 10 and 11 systems lack endpoint protection, increasing vulnerability to such exploits.

Winsage

July 23, 2024

Windows users targeted with zero-day attacks via Internet Explorer

- CVE-2024-38112 is a vulnerability in the Microsoft MSHTML platform, allowing for a spoofing attack using malicious MHTML files. - The vulnerability was addressed in the July 2024 Patch Tuesday release, but remains significant due to delayed updates, legacy systems, and evolving attack techniques. - The Void Banshee group has been actively exploiting this vulnerability to distribute the Atlantida info-stealer, emphasizing the importance of timely security updates and patch management.

Winsage

July 17, 2024

Void Banshee Group Used ‘Windows Relic’ IE in Phishing Campaign

The ZDI threat hunting team discovered and analyzed samples exploiting CVE-2024-38112, which allowed attackers to run and execute files and websites through the disabled IE process by exploiting MSHTML. The vulnerability was used in a spearfishing campaign by the operators behind Void Banshee, targeting victims in North America, Europe, and Southeast Asia. The campaign distributed malicious files disguised as PDFs through cloud sharing websites, Discord servers, and online libraries. The malware used in the campaign, Atlantida stealer, targets sensitive information from various applications and can collect system information and geolocation data. The exploitation tactic is similar to another MSHTML vulnerability, CVE-2021-40444, and both have been patched by Microsoft. Unsupported Windows relics like Internet Explorer are an overlooked attack surface that can still be exploited by threat actors. Organizations should keep their software updated to protect themselves from security vulnerabilities.

Winsage

June 13, 2024

Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint

Microsoft released security updates for critical vulnerabilities, including fixes for 18 remote code execution flaws. One of the critical vulnerabilities is in Microsoft Message Queuing (MSMQ), allowing attackers to take control of a user's system remotely.

Tech Optimizer

June 12, 2024

10 Best Cloud Security Companies In 2024

The level of security given by any cloud provider is determined by a number of criteria, including the precise security controls offered, certifications obtained, and compliance standards met.