Risky Business #666 -- The msdt RTF of DOOM

Hah. Classic Microsoft…
31 May 2022 » Risky Business

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

  • The msdt/office lolbinapalooza
  • Microsoft to introduce sensible defaults to Azure
  • Twitter fined $150m for sms 2fa spam
  • It turns out npm got owned in that Heroku/Travis CI thing
  • AWS cred-stealing supply chain attack was research your honour, I swear!
  • Much, much more

We’ll be chatting with Airlock Digital co-founder and CTO Daniel Schell in this week’s sponsor interview. He’ll be walking us through some of his own research into how to own Microsoft boxes via document-embedded office add-ins.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

nao_sec on Twitter: "Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code. https://t.co/hTdAfHOUx3 https://t.co/rVSb02ZTwt" / Twitter
Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar
Kevin Beaumont on Twitter: "Additional Follina issue, if you use wget in Powershell, it blindly executes any code via MSDT as it trusts all MS Protocol URIs. So to clarify, if you wget a webpage you don’t control and the webpage adds Follina exploit string, your server the runs the code." / Twitter
Microsoft Office Remote Code Execution - “Follina” MSDT Attack
Raising the Baseline Security for all Organizations in the World - Microsoft Tech Community
npm security update: Attack campaign using stolen OAuth tokens | The GitHub Blog
Twitter fined $150 million by FTC for alleged privacy violations - The Record by Recorded Future
REvil prosecutions reach a 'dead end,' Russian media reports
Multiple flights across India grounded after SpiceJet airline hit with ransomware - The Record by Recorded Future
Exclusive: Russian hackers are linked to new Brexit leak website, Google says | Reuters
Российские компании начали увольнять украинских ИT-специалистов — РБК
Hacker Leaks Mountain of Files From Inside Xinjiang Camps
Spain set to strengthen oversight of secret services after NSO spying scandal | The Times of Israel
No evidence of exploitation of Dominion voting machine flaws, CISA finds - The Washington Post
Researchers identify FIDO2 protocol vulnerabilities - Security - iTnews
Security ‘researcher’ hits back against claims of malicious CTX file uploads | The Daily Swig
Israeli private detective used Indian hackers in job for Russian oligarchs, court filing says | Reuters
Hacker Steals Database of Hundreds of Verizon Employees
GarWarner on Twitter: "Last month the US Department of Justice petitioned the court to be allowed to seize Mr. Woodbery's Bitcoin. 151.885720427 BTC is 11,930,370 Naira or $4,364,299 USD currently. (Thread 1/? ) https://t.co/Xh39FTLQUV" / Twitter
Malcolm Herbert on Twitter: "@riskybusiness @Metlstorm ... for some reason I never pictured you guys as doing a recording session before sunup, but then I guess with @Metlstorm being in NZ that kinda makes sense now that I think about it ... I'll see myself out ..." / Twitter
Darknet market Versus shuts down after hacker leaks security flaw
Omnipotent BMCs from Quanta remain vulnerable to critical Pantsdown threat | Ars Technica
Red Canary Managed Detection and Response - YouTube
Airlock Digital Demo - YouTube