Security News > 2024 > June > New attack uses MSC files and Windows XSS flaw to breach networks
A novel command execution technique dubbed 'GrimResource' uses specially crafted MSC and an unpatched Windows XSS flaw to perform code execution via the Microsoft Management Console.
After Microsoft fixed this issue in ISO files and 7-Zip added the option to propagate MoTW flags, attackers were forced to switch to new attachments, such as Windows Shortcuts and OneNote files.
Attackers have now switched to a new file type, Windows MSC files, which are used in the Microsoft Management Console to manage various aspects of the operating system or create custom views of commonly accessed tools.
Motivated by this research, the Elastic team discovered a new technique of distributing MSC files and abusing an old but unpatched Windows XSS flaw in apds.
The GrimResource attack begins with a malicious MSC file that attempts to exploit an old DOM-based cross-site scripting flaw in the 'apds.
Elastic Security has also published a complete list of GrimResource indicators on GitHub and provided YARA rules in the report to help defenders detect suspicious MSC files.
News URL
Related news
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks (source)
- Tech giant Nidec confirms data breach following ransomware attack (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Henry Schein discloses data breach a year after ransomware attack (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Canadian Suspect Arrested Over Snowflake Customer Breach and Extortion Attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- T-Mobile US 'monitoring' China's 'industry-wide attack' amid fresh security breach fears (source)