There has been an ever-increasing number of vulnerabilities and malware rearing their ugly heads lately. One of the most common things these malware will attempt to do is gain elevated permissions to allow execution of its code without user interaction. Recently, a new vulnerability was found in the popular archival software 7-Zip that can potentially allow just that.
7-Zip is an open source universal compression and archive utility that is meant to work on Unix-like systems, and Windows. The exploit in question takes advantage of the fact that the Windows version of the software utilizes the system's help file format, known as CHM files. These help menu files can still utilize ActiveX controls, a functionality that saw its final release in 2013 and is today considered deprecated. ActiveX has been considered insecure for years by researchers due to its inherent elevated permissions, including direct access to executing shell commands as a privileged user.
When utilizing 7-Zip's help menu, it executes the hh.exe, which can still run and use ActiveX objects. If you attempt to drag a .7z extension file to that window that appears, after malware or an attacker has run their piece to unlock the nasty potential of elevated access, it can potentially open up a command prompt with elevated administrator access. This is displayed in the video made by Kağan Çapar, a security researcher from Turkey.
Kağan does state in his GitHub, which outlines the vulnerability, that he will not publish the details of the exploit until after the issue is patched by the 7-Zip developers. No action has been taken yet, unfortunately. He does, however, go on to say that the bug report has been issued to 7-Zip developers, and that its CVE-2022-29072 designation has been submitted to security reporting web sites.
Screenshot of 7-Zip Bug Report
Of course, the researcher also outlines probably the simplest way to prevent an issue. Just delete the CHM file from your installation of 7-Zip. This will prevent the help menu from opening and just cause any attempts at this to fail. You can also modify what permissions the hh.exe process can operate at, but for most users just deleting the .chm file from the installation directory is easiest.
By Sergiu Gatlan, Bleeping Computer Today, the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks. "ALPHV Blackcat affiliates have been observed primarily targeting the healthcare sector," the joint advisory cautions. Today's warning follows an April 2022 FBI flash alert and another advisory issued in December 2023 detailing the BlackCat cybercrime gang's activity since it surfaced in November 2021 as a suspected rebrand of the DarkSide and BlackMatter ransomware groups. The FBI linked BlackCat to over 60 breaches during its first four months of activity (between November 2021 and March 2022) and said the gang has raked in at least $300 million in ransoms from over 1,000 victims until September 2023. "Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," the three federal agencies warned in today...
By Bill Toulas, Bleeping Computer Nissan North America (Nissan) suffered a data breach last year when a threat actor targeted the company's external VPN and shut down systems to receive a ransom. The car maker discovered the breach in early November 2023 and discovered recently that the incident exposed personal data belonging to more than 53,000 current and former employees. “As shared during the Nissan Town Hall meeting on December 5, 2023, Nissan learned on November 7, 2023, that it was the victim of a targeted cyberattack. Upon learning of the attack, Nissan promptly notified law enforcement and began taking immediate actions to investigate, contain, and successfully terminate the threat,” the company said in a notification to impacted individuals. Nissan disclosed that the threat actor targeted its external VPN and then shut down certain company systems before asking for a ransom. The company notes that none of its systems were encrypted during the attack. Working with extern...
By Krebs On Security Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user. When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect. The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known ...
Comments
Post a Comment