![]() I’ve tried to PE boot yo manually delete the files, but they don’t exist. Here’s t he the thing though, after turning CompuTrace off several machines will still say the offending files are in the EFI Partition. There isn’t a command I can run so it’s the long work of going to each machine and manually turning it off is the only option. This is the second remote code execution vulnerability fixed in WebEx client software over the course of one month, so it’s probably best for users who don’t need this software on an ongoing basis to remove it from their computers.So we’ve got a lot of machines that started showing the ComuTrace.A variants and I’ve been slowly getting to the machines to turn it off (permanently) in the BIOS. The company advises customers to upgrade to Cisco WebEx Business Suite (WBS31) client build T31.23.4, Cisco WebEx Business Suite (WBS32) client build T32.12, Cisco WebEx Meetings client build T32.12 and Cisco WebEx Meeting Server 3.0 Patch 1. “Successful exploitation could allow the attacker to execute arbitrary code on the user’s system.” “An attacker could exploit this vulnerability by sending the user a link or email attachment with a malicious ARF file and persuading the user to follow the link or open the file,” Cisco warns in its advisory. The newly patched vulnerability is located in one such player called the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF). Special media players can also be installed alongside the clients when users attempt to play back meeting recordings. Users who attend WebEx meetings have to install a software client on their computers that’s offered by the WebEx server hosting the meeting. It has cloud-hosted solutions in the form of Cisco WebEx Business Suite (WBS) and Cisco WebEx Meetings and a self-hosted solution called the Cisco WebEx Meetings Server. Cisco Patches Another Critical Vulnerability in WebExĬisco Systems has patched another critical vulnerability in its WebEx client software that could be exploited to execute malicious code on computers.Ĭisco WebEx is one of the most widely used web conferencing software in business environments. The company has also provided a YARA signature that organizations can use to detect the agent on their computers and block its communications with malicious domains. The Netscout report contains file signatures for the rogue LoJack samples as well as domain names and other indicators of compromise. Finally, Lojack’s ‘small agent’ allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue C2 server.” “The attacker simply needs to stand up a rogue C2 server that simulates the Lojack communication protocols. “With low AV detection, the attacker now has an executable hiding in plain sight, a double-agent,” the Netscout researchers said. LoJack users who willingly turned on the feature on their computers are also likely to have whitelisted the agent in their security products. The LoJack agent is whitelisted by default by many antivirus programs, and those that do detect it flag it as “not-a-virus” or “Risk Tool” instead of malware. It seems that four years later, cyberespionage groups are taking advantage of this powerful functionality that’s present on many devices and is both persistent and stealthy. “The protocol doesn’t use any encryption or authorization with the remote server, which creates numerous opportunities for remote attacks in a hostile network environment.” “The protocol used by the Small Agent provides the basic feature of remote code execution,” the researchers warned in a blog post at the time. They pointed out that its small Windows software agent could easily be modified to make it connect to a rogue server. In 2014, security researchers from Kaspersky Lab published a paper showing how Absolute’s Computrace technology could be abused to serve as a backdoor. Security researchers from Netscout’s Arbor division have come across five instances of the LoJack software agent that were communicating with four suspicious domain names, three of which have been associated in the past with Fancy Bear’s cyberespionage operations. This service then connects to a remote server controlled by Absolute Software and installs the theft recovery agent. The BIOS/UEFI component injects a small software agent into Windows and registers it as a system service. This means that it survives even OS reinstalls and hard disk drive replacements. The technology stands apart because it has components embedded in BIOS/UEFI firmware through partnerships with computer manufacturers. ![]()
0 Comments
Leave a Reply. |