Kenneth Porter wrote:
I found a copy of the repo and see that it works by adding an evil printer driver to the remote server over an IP connection. So email is a vector if you allow executable attachments (including scripts).
Yes. Local Privilege Elevation then Remote Command Execution. The Chinese POC operators promise more exciting news at Black Hat later this month. Microsoft has already pushed a fix; at least for what they know. MSP source feed compromise seems ideal for pushing something like this - Kaseya, SolarWinds, TeamViewer, VIPRE, etc. Any compromised domain or workgroup user account will do.
I use MIMEDefang (a "milter" run from the MTA during message acceptance) to block lots of extensions for all but a couple trusted recipients. I quarantine zip files, although MD can check inside those recursively for evil extensions. (MD also runs ClamAV and SpamAssassin and I have it set to reject mail with a score of 10 or more.)
Yes, I looked at that well over 10 years ago. At that time I was running a Slackware box which was memory bound. I ended up running Sendmail and a commercial milter from Snertsoft. Blast from the past. I'm happy to see it is still alive and kicking.
On 7/2/2021 6:39 PM, Kevin A. McGrail wrote:
Anyone know if this is delivered via email? I'm trying to make sure I block the payload if it is.
Kevin, I do not believe this has been bundled with any Email payload at this time. Considering the trouble with Emotet/TrickBot, I really have some grief with the anti-virus community and the disconnect with the anti-spam community. I've never thought these were mutually-exclusive. In many cases, processing at the Email level can be far more effective than ripping through binaries and inspecting threads on a computer.
The status quo is not sustainable. Just from a national/homeland security perspective it would be a noble project; perhaps worthy of your foundation - belly of the beast and all that.
$0.02, -- Jared Hall
