Risky Biz News: Microsoft deprecates VBScript

In other news: Google makes passkeys default sign-in option; Vietnam targeted EU&US officials with Predator spyware; and new DDOS vector discovered.

This newsletter is brought to you by Netwrix, an IT security software company that enables security professionals to strengthen their security and compliance posture across all three primary attack vectors: data, identity, and infrastructure. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:

Microsoft has deprecated VBScript, a powerful scripting language that has been part of the Windows operating system since 1998.

VBScript has been made a "Feature on Demand" (FoD), and Microsoft plans to remove it completely in a future version of Windows.

As a FoD, Microsoft says VBscript will be preinstalled on Windows OS images but not enabled by default.

It's quite a rare case for Microsoft to move an older feature to a VoD before removing support. The company says it's doing this "to allow for uninterrupted use while [users] prepare for the retirement of VBScript."

Microsoft made the major announcement in a short statement on Monday but without a clear timeline for VBScript's permanent removal.

While VBScript has a large fanbase among system administrators, the language itself has been left for dead for more than a decade, with the last significant release, VBScript 5.8, coming in 2010.

Since then, Microsoft has replaced VBScript with a much more powerful scripting language named PowerShell.

In 2019, Microsoft also removed VBScript from its Internet Explorer browser in a move that signaled that VBScript's end was nigh.

While the reasons to remove VBScript support most likely lie with PowerShell being a superior tool, VBScript's removal will have a huge security impact as well.

VBScript has been and remains a popular tool amongst malware developers, even today, 27 years after its creation back in 1996. It is not as popular as it once was, but there are still malware gangs using it here and there.

Just like Microsoft dropping support for macros in Office applications, the move is most likely to trigger a shift in how malware will be written and distributed. It will not be a massive shift since all the big-boy gangs have been using PowerShell for a while now, but the older gangs and the copy-pasta malware devs will most likely be impacted.

Back in March this year, Neowin reported that VBScript was most likely the bin later this fall. VBScript's move to a FoD is most likely taking place with a Patch Tuesday update this or next month. Look for VBScript in the "optional features" section going forward.

Image via XenoPanther

Breaches, hacks, and security incidents

Hacker returns HTX funds: The hacker who stole $8 million from the HTX cryptocurrency platform has returned all the stolen funds. Formerly known as Huobi, the company has confirmed the refunds and a $400,000 "whitehat reward." The hacker returned the funds two weeks after the original theft. [Additional coverage in Cryptopolitan]

Air Europa skimming incident: Spanish airline Air Europa has disclosed a security breach after it found a web skimmer on its online website.

SK NEC hack: North Korean hackers have breached South Korea's National Election Commission and stole confidential information. The hack took place in April 2021 but was only disclosed this week. South Korea's National Intelligence Service (NIS) has attributed the intrusion to a North Korean hacking group known as Kimsuky. Officials say the hack compromised the email account of one of the commission's workers but did not say what information the hackers stole. [Additional coverage in NKEconomy]

Attacks on Israel's rocket alerting system: Pro-Palestine hacktivist groups have launched several cyberattacks that targeted Israel's rocket alert system. DDoS attacks hit endpoints responsible for alerting citizens of incoming missile raids, even as early as one hour after the Hamas operation began. Several groups participated in the attacks, such as Anonymous Sudan, Killnet, and AnonGhost. The latter also exploited vulnerabilities in the API system of Red Alert, an Android app that sends rocket alerts to Israeli citizens. The group abused the API to send fake rocket and nuclear bomb alerts meant to sow panic among the Israeli population. [Additional coverage in the Washington Post/non-paywall]

General tech and privacy

Rust in Android: Google says it has started to use the Rust programming language to rewrite parts of the Android kernel. The company has already been using Rust for some Android userland processes since last year. So far, Google developers have rewritten the Android Virtualization Framework's protected VM (pVM) firmware in Rust, but more components will follow.

Google makes passkeys default sign-in: Google is making passkeys the default sign-in option for all Google online accounts. The company will begin showing prompts to all users to enroll a passkey in the coming weeks. Enrolling will require users to register a fingerprint, a facial scan, or a PIN code on a laptop or smartphone they own. The next time users log into their Google accounts, they'll have to authenticate on the device with the passkey of their choosing and skip entering a password or MFA code.

Government, politics, and policy

US joint guidance: CISA, the FBI, the NSA, and the US Treasury have published a joint advisory on improving the security of open source software (OSS) in operational technology (OT) and industrial control systems (ICS).

India investigations Xiaomi and Vivo: Indian authorities have launched an investigation into Chinese companies Xiaomi and Vivo Mobile for allegedly funding an Indian website that was spreading pro-Chinese propaganda. [Additional coverage in Reuters]

Vietnam is a Predator customer: A threat actor tracked as REPLYSPY has used Twitter replies as a means to distribute infection links for the Predator spyware. The links were posted online earlier this year as replies to tweets from EU and US officials, journalists, and experts on Southeast Asian issues. Experts believe the group tried to infect the officials, as well as some of their more important followers. Independent reports from Amnesty International and CitizenLab claim the Vietnamese government is behind the REPLYSPY group after it became a customer of the Intellexa alliance in 2020.

In this Risky Business News sponsor interview, Tom Uren asks Martin Cannard, VP of Product Strategy at Netwrix, how privileged access management can help defend organizations. "Advanced Persistent Teenagers" regularly use social engineering techniques to compromise highly privileged accounts, but that doesn't mean it's instantly game over.

Cybercrime and threat intel

HelloKitty leak: The source code of the HelloKitty ransomware has been leaked on an underground hacking forum, per threat intel analyst 3xp0rt. The ransomware was first spotted in late 2020, was also known as FiveHands, and its dark web leak site was last seen online in November 2021. The group's main claim to fame is the attack on Polish gaming studio CD Projekt Red, the maker of the Witcher and Cyberpunk games.

Postal service phishing: KrebsOnSecurity looks at the increase in phishing operations impersonating USPS and 12 other US postal services.

Israel-Palestine hacktivism: Threat intel analyst CyberKnow is maintaining a list of hacktivist groups that announced their involvement in the Israel-Palestine hostilities. The list includes 50 groups, with 48 on Palestine's side.

HTTP/2 Rapid Reset: Google, Amazon, and Cloudflare have discovered a new DDOS attack method named Rapid Reset. The technique exploits a feature in the HTTP/2 protocol to send a large number of requests to modern web servers and then immediately cancel the connection. All three companies say the technique has been used in August and September to launch some of the largest attacks they have ever seen. The largest attack hit Google Cloud and clocked in at 398 million requests per second, almost nine times the previous record of 46 million requests per second. Patches, tracked under CVE-2023-44487, have started rolling out to various servers and networking libraries.

Malware technical reports

Magecart campaign hides in 404 pages: A threat actor is hacking online stores and hiding malicious web skimmer code in 404 pages. The campaign has been active for a couple of weeks and has targeted online stores hosted using Magento and WooCoomerce. Akamai says that when customers try to make a purchase, the hacked website loads the malicious code from the 404 page. The code shows a fake payment form that collects a user's personal and payment information, which is then sent to an attacker's server.

IZ1H9 botnet: Throughout September 2023, the IZ1H9 botnet has expanded its exploit arsenal with 13 new vulnerabilities. This includes exploits in D-Link devices, Netis wireless routers, Sunhillo SureLine surveillance systems, Geutebruck IP cameras, Yealink Device Management systems, Zyxel devices, TP-Link Archer routers, Korenix Jetwave access points, and TOTOLINK routers.

ADVobfuscator: OALABS looks at how malware authors are abusing the ADVobfuscator library to obfuscate their code.

To protect your business, you need to understand and measure your attack surface and then implement a continuous, comprehensive approach to reducing it. Read Netwrix's guide to learn how to reduce your privileged attack surface and adopt a Zero Trust approach.

APTs and cyber-espionage

Caracal Kitten: Chinese security firm QiAnXin has discovered a new APT group spreading Android malware to members of the Kurdish population. Named Caracal Kitten, or APT-Q-58, the group hid its malware in apps posing as news portals and the official app for the Kurdistan Democratic Party (KDP). While no formal attribution has been made, QiAnXin says the group's target selection overlaps with past Iranian operations.

Grayling: A new APT group named Grayling has conducted cyber-espionage campaigns since February this year. The group has heavily targeted Taiwanese organizations, leading researchers to believe there might be a China nexus. Besides Taiwan, other targets included a government agency located in the Pacific Islands, as well as organizations in Vietnam and the US.

DPRK operations: Google's Mandiant division has published an updated guide to understanding North Korea's APT and cyber operations, complete with an updated organizational chart. The report's main findings are that DPRK groups now increasingly share resources and temporarily collaborate on operations, making exact attribution extremely difficult.

"Malware infrastructure overlaps indicating resources and attribution muddled by shifting assignments show how DPRK cyber operations are changing. However, operations conducted to fulfill regime requirements remain steadfast and we believe they will continue. While defenders may not be able to easily sort new DPRK activity into a previously identified bucket, the malware reuse and shared resources creates opportunities for detection and country level attribution."

Vulnerabilities, security research, and bug bounty

Patch Tuesday: Yesterday was the October 2023 Patch Tuesday. We had security updates from Adobe, Microsoft, SAP, Citrix, Fortinet, Kubernetes, and Siemens. The Android Project, Apple, Chrome, Cisco, Atlassian, Supermicro, QNAP, and Drupal released security updates last week as well.

Microsoft zero-days: This month, Microsoft's Patch Tuesday included 105 fixes, including three zero-days tracked as:

Libcue vulnerability: The GitHub security team has found a major vulnerability in Libcue, a small library for processing audio metadata known as CUE sheets. Tracked as CVE-2023-43641, the vulnerability impacts all Linux distros that use the GNOME desktop environment, where Libcue is included by default. The vulnerability allows threat actors to compromise these systems just by downloading a CUE audio file. The attack works because GNOME reads all newly created files, triggering the malicious code hidden inside the file.

Cobalt Strike update: Fortra has released a security update (v4.9.1) for the Cobalt Strike framework. Also, in CS news, v4.9 was leaked on hacking forums and is now most likely to be adopted by most threat actors.

Windows zero-day report: IBM's X-Force team has a technical write-up on CVE-2023-36802, a zero-day in the Windows Kernel Streaming Server that Microsoft patched last month, in September, and which IBM's Valentina Palmiotti helped discover.

EDR bypass: Wavestone researchers have found an EDR bypass in Windows that abuses a lesser-known process named NtSetInformationProcess.

"In conclusion, the mechanism described in this article actually allows an elevated malicious program wishing to perform nefarious actions (process injection, LSASS dumping, process hollowing, etc.), to carefully disable related telemetry before doing it, removing critical evidence from EDR monitoring, thus greatly improving its chances of not being detected. Multiple pieces of evidence show that Microsoft is aware of the weakness, but is not changing the API behavior retroactively on Windows 10, likely due to retro-compatibility issues."

Infosec industry

New tools—Perfect/Fuse Loader: SpecterOps researcher Evan McBroom has open-sourced two tools named Perfect Loader and Fuse Loader to support an improved in-memory dynamic library loading process on Windows and Linux.

RedHat closes security mailing list: RedHat has closed down its security mailing list. Users can still get security alerts via a free RSS feed or a notification system for paying customers.

Designer Vulnerabilities: Security researcher Mike Sass is maintaining a portal named Designer Vulnerabilities, containing a list of all fancy-pants vulnerabilities that have names, logos, custom websites, and such. The current tally is 407.

CISO salaries: CISO salaries have gone up by 11% in 2023, but growth has slowed, and fewer open positions are currently available. The average CISO salary this year has been $550,000, but more than half of CISOs are making below $400,000. According to a joint study of compensation data from more than 600 CISOs across Canada and the US, the best-paying jobs are on the US West Coast and in the tech and financial sectors. [Additional coverage in CybersecurityDive]

Podcast: Between Two Nerds

In this edition of Between Two Nerds Tom Uren and The Grugq examine the opportunities that ransomware gangs and business email compromise/romance scammers have to collaborate.