Risky Business #666 -- The msdt RTF of DOOM
On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:
- The msdt/office lolbinapalooza
- Microsoft to introduce sensible defaults to Azure
- Twitter fined $150m for sms 2fa spam
- It turns out npm got owned in that Heroku/Travis CI thing
- AWS cred-stealing supply chain attack was research your honour, I swear!
- Much, much more
We’ll be chatting with Airlock Digital co-founder and CTO Daniel Schell in this week’s sponsor interview. He’ll be walking us through some of his own research into how to own Microsoft boxes via document-embedded office add-ins.
Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.
Show notes
- nao_sec on Twitter: "Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code. https://t.co/hTdAfHOUx3 https://t.co/rVSb02ZTwt" / Twitter
- Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar
- Kevin Beaumont on Twitter: "Additional Follina issue, if you use wget in Powershell, it blindly executes any code via MSDT as it trusts all MS Protocol URIs. So to clarify, if you wget a webpage you don’t control and the webpage adds Follina exploit string, your server the runs the code." / Twitter
- Microsoft Office Remote Code Execution - “Follina” MSDT Attack
- Raising the Baseline Security for all Organizations in the World - Microsoft Tech Community
- npm security update: Attack campaign using stolen OAuth tokens | The GitHub Blog
- Twitter fined $150 million by FTC for alleged privacy violations - The Record by Recorded Future
- REvil prosecutions reach a 'dead end,' Russian media reports
- Multiple flights across India grounded after SpiceJet airline hit with ransomware - The Record by Recorded Future
- Exclusive: Russian hackers are linked to new Brexit leak website, Google says | Reuters
- Российские компании начали увольнять украинских ИT-специалистов — РБК
- Hacker Leaks Mountain of Files From Inside Xinjiang Camps
- Spain set to strengthen oversight of secret services after NSO spying scandal | The Times of Israel
- No evidence of exploitation of Dominion voting machine flaws, CISA finds - The Washington Post
- Researchers identify FIDO2 protocol vulnerabilities - Security - iTnews
- 756.pdf
- Security ‘researcher’ hits back against claims of malicious CTX file uploads | The Daily Swig
- Israeli private detective used Indian hackers in job for Russian oligarchs, court filing says | Reuters
- Hacker Steals Database of Hundreds of Verizon Employees
- GarWarner on Twitter: "Last month the US Department of Justice petitioned the court to be allowed to seize Mr. Woodbery's Bitcoin. 151.885720427 BTC is 11,930,370 Naira or $4,364,299 USD currently. (Thread 1/? ) https://t.co/Xh39FTLQUV" / Twitter
- Malcolm Herbert on Twitter: "@riskybusiness @Metlstorm ... for some reason I never pictured you guys as doing a recording session before sunup, but then I guess with @Metlstorm being in NZ that kinda makes sense now that I think about it ... I'll see myself out ..." / Twitter
- Darknet market Versus shuts down after hacker leaks security flaw
- Omnipotent BMCs from Quanta remain vulnerable to critical Pantsdown threat | Ars Technica
- Red Canary Managed Detection and Response - YouTube
- Airlock Digital Demo - YouTube
