Security News > 2024 > June > New attack uses MSC files and Windows XSS flaw to breach networks
A novel command execution technique dubbed 'GrimResource' uses specially crafted MSC and an unpatched Windows XSS flaw to perform code execution via the Microsoft Management Console.
After Microsoft fixed this issue in ISO files and 7-Zip added the option to propagate MoTW flags, attackers were forced to switch to new attachments, such as Windows Shortcuts and OneNote files.
Attackers have now switched to a new file type, Windows MSC files, which are used in the Microsoft Management Console to manage various aspects of the operating system or create custom views of commonly accessed tools.
Motivated by this research, the Elastic team discovered a new technique of distributing MSC files and abusing an old but unpatched Windows XSS flaw in apds.
The GrimResource attack begins with a malicious MSC file that attempts to exploit an old DOM-based cross-site scripting flaw in the 'apds.
Elastic Security has also published a complete list of GrimResource indicators on GitHub and provided YARA rules in the report to help defenders detect suspicious MSC files.
News URL
Related news
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Canadian Suspect Arrested Over Snowflake Customer Breach and Extortion Attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- T-Mobile US 'monitoring' China's 'industry-wide attack' amid fresh security breach fears (source)
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' (source)
- Bologna FC confirms data breach after RansomHub ransomware attack (source)
- Rhode Island confirms data breach after Brain Cipher ransomware attack (source)
- Windows kernel bug now exploited in attacks to gain SYSTEM privileges (source)