January 27, 2022
Note: this CTI contains 2 alerts: Microsoft Advisory & Apple Updates
Phishing Campaign Targeting ‘Microsoft 365’ Users Abuses ‘OAuth Request’ Links
Microsoft has recently detected a ‘Consent Phishing’ campaign targeting ‘Microsoft 365’ users in which threat actors abuse ‘OAuth’ request links to allow a malicious app called ‘Upgrade’ to access victims’ email, contacts and calendar.
‘OAuth’ is a form of authentication that uses software tokens to maintain access to an online service (such as Microsoft 365).
How it works
- The threat actors send a phishing mail containing an ‘OAuth’ request link for a malicious app.
- Once the victim clicks the link and signs into the service (in this case ‘Microsoft 365’) the malicious app generates an ‘OAuth’ consent prompt.
- If the victim agrees to give the app access, the attackers get the authorization token and can then access the user’s data.
- The ‘OAuth’ token allows them to stay in the victim’s account until the token expires or is revoked.
While the malicious ‘Upgrade’ app used in this campaign has been taken care of, many similar campaigns can still target users via the same technique in the future.
According to a previously shared blog post by Microsoft regarding ‘Consent Phishing’, The following actions can be taken to mitigate the risk of compromise:
- Prevent consent for illegitimate apps with ‘Azure AD’ user consent settings.
- Block consent phishing emails with ‘Microsoft Defender for Office 365’.
- Identify malicious apps with ‘Microsoft Defender for Cloud Apps’.
Please review the official blog post by Microsoft for guide and details on completing each of the steps mentioned above.
Apple Patches 2 Zero-Days, 1 Exploited in the Wild & 8 ACEs Across MacOS and Safari
Apple has patched 2 Zero-Day vulnerabilities, one being actively exploited in the wild, as well as 8 Arbitrary Code Execution vulnerabilities in total across ‘MacOS’ and ‘Safari’, some of which may be exploited Remotely.
The Zero-Day Vulnerabilities
- CVE-2022-22587 Exploited In the Wild
A memory corruption bug in the ‘IOMobileFrameBuffer’ component. Successful exploitation leads to arbitrary code execution with kernel privileges on compromised devices.
A cross-origin issue in the ‘IndexDB’ API was addressed with improved input validation. The vulnerability allows a remote attacker to gain access to potentially sensitive information.
For the full vulnerabilities list, including the 8 Arbitrary Code Execution vulnerabilities, visit Apple Security Updates.
- ‘macOS Monterey‘ prior version 12.2.
- ‘macOS Big Sur‘ prior version 11.6.3.
- ‘macOS Catalina‘ prior ‘Security Update 2022-001’.
- ‘Safari‘ prior version 15.3.
CYREBRO recommends updating relevant products to the latest available releases which fix these issues, in accordance the ‘Vulnerable Products’ section.