ITSEC Newsletter 2023-11-16

Microsoft Access (part of the Office suite) has a “linking to remote SQL Server tables” feature. This feature can be abused by attackers to automatically leak the Windows user’s NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80. The attack can be launched as long as the victim opens an .accdb or .mdb file. In fact, any more-common Office file type (such as a .rtf ) can work as well. This technique allows the attacker to bypass existing Firewall rules designed to block NTLM information stealing initiated by external attacks.

Key Points: Throughout 2023, attackers have distributed malicious Python packages disguised as legitimate obfuscation tools. The malicious payload activates upon installation. Labeled as "BlazeStealer", the payload retrieves an additional malicious script from an external source, enabling a Discord bot that gives attackers complete control over the victim's computer. Developers who engage in code obfuscation are likely working with valuable and sensitive information. As a result, hackers see them as valuable targets to pursue and therefore are likely to be the victims targeted in this attack.

Welcome back to part 11 of the On Detection blog series. This next article serves as a conceptual foundation upon which we will build over the next few posts. It may not be immediately obvious why this is important, but understanding this concept will make many subsequent ideas much easier to parse.