Risky Business Podcast

May 31, 2022

Risky Business #666 -- The msdt RTF of DOOM

Presented by

Patrick Gray
Patrick Gray

CEO and Publisher

Adam Boileau
Adam Boileau

Technology Editor

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

  • The msdt/office lolbinapalooza
  • Microsoft to introduce sensible defaults to Azure
  • Twitter fined $150m for sms 2fa spam
  • It turns out npm got owned in that Heroku/Travis CI thing
  • AWS cred-stealing supply chain attack was research your honour, I swear!
  • Much, much more

We’ll be chatting with Airlock Digital co-founder and CTO Daniel Schell in this week’s sponsor interview. He’ll be walking us through some of his own research into how to own Microsoft boxes via document-embedded office add-ins.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Risky Business #666 -- The msdt RTF of DOOM
0:00 / 0:00

Show notes

nao_sec on Twitter: "Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code. https://t.co/hTdAfHOUx3 https://t.co/rVSb02ZTwt" / Twitter

Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar

Kevin Beaumont on Twitter: "Additional Follina issue, if you use wget in Powershell, it blindly executes any code via MSDT as it trusts all MS Protocol URIs. So to clarify, if you wget a webpage you don’t control and the webpage adds Follina exploit string, your server the runs the code." / Twitter

Microsoft Office Remote Code Execution - “Follina” MSDT Attack

Raising the Baseline Security for all Organizations in the World - Microsoft Tech Community

npm security update: Attack campaign using stolen OAuth tokens | The GitHub Blog

Twitter fined $150 million by FTC for alleged privacy violations - The Record by Recorded Future

REvil prosecutions reach a 'dead end,' Russian media reports

Multiple flights across India grounded after SpiceJet airline hit with ransomware - The Record by Recorded Future

Exclusive: Russian hackers are linked to new Brexit leak website, Google says | Reuters

Российские компании начали увольнять украинских ИT-специалистов — РБК

Hacker Leaks Mountain of Files From Inside Xinjiang Camps

Spain set to strengthen oversight of secret services after NSO spying scandal | The Times of Israel

No evidence of exploitation of Dominion voting machine flaws, CISA finds - The Washington Post

Researchers identify FIDO2 protocol vulnerabilities - Security - iTnews

756.pdf

Security ‘researcher’ hits back against claims of malicious CTX file uploads | The Daily Swig

Israeli private detective used Indian hackers in job for Russian oligarchs, court filing says | Reuters

Hacker Steals Database of Hundreds of Verizon Employees

GarWarner on Twitter: "Last month the US Department of Justice petitioned the court to be allowed to seize Mr. Woodbery's Bitcoin. 151.885720427 BTC is 11,930,370 Naira or $4,364,299 USD currently. (Thread 1/? ) https://t.co/Xh39FTLQUV" / Twitter

Malcolm Herbert on Twitter: "@riskybusiness @Metlstorm ... for some reason I never pictured you guys as doing a recording session before sunup, but then I guess with @Metlstorm being in NZ that kinda makes sense now that I think about it ... I'll see myself out ..." / Twitter

Darknet market Versus shuts down after hacker leaks security flaw

Omnipotent BMCs from Quanta remain vulnerable to critical Pantsdown threat | Ars Technica

Red Canary Managed Detection and Response - YouTube

Airlock Digital Demo - YouTube