The arrest of Telegram's CEO | Two rare attack vectors
#154 - Security vs. Privacy again | GrimResource & AppDomainManager injection
Telegram’s CEO Pavel Durov was arrested in France | AppDomainManager Injection
The debate of security vs. privacy resurfaces | Two new techniques to deliver malware
The French authorities have detained Pavel Durov.
Pavel is the CEO of Telegram - the popular messaging app. He is being investigated for a wide range of charges from money laundering to distributing child pornography.
The French President said this on X:
There are multiple perspectives at play here. The first one being the debate between free speech and moderation. Here is what that looks like:
Then comes the debate between security and privacy - a long standing debate
Take Action:
Cybersecurity professionals rarely get into these debates. Our attitude - “We leave these discussions to the philosophers”.
But it is essential that we understand both sides of the debate. Understand the moral underpinnings of each side. It will help us design better security!
A well known threat actor (or imitator)
and two little known techniques - GrimResource and AppDomainManager Injection
A threat actor who resembles the APT41 threat actor group has been making use of two rare techniques to infect organizations with malware.
This article explains both the techniques well. The TL;DR however is this:
GrimResource
A zip file containing a file that looks like a pdf or a Windows certificate is received. It is in fact an MSC (management saved console) a part of the MMC (Microsoft management console). This file contains malicious code that can exploit persistence features of MMC. Read more about GrimResource here.
AppDomainManager Injection
This one is for the .NET framework users. There is a class called ‘AppDomainManager’ in .NET that helps run multiple domains. The attacker is able to create a malicious domain and get the target application to load that domain instead of the original one using this attack.
Take Action:
I found these two interesting. I had not come across either earlier. They are interesting attack vectors and need some exploration.
If you are using .NET framework for development in your organization, check for exposure to AppDomainManager injection.