Zerodium Spikes Payout for Zero-Click Outlook Zero-Days

3 months ago

The sweetened woody came connected the aforesaid time that Trustwave SpiderLabs published a caller mode to bypass Outlook information to present malicious links to victims.

Zerodium has jacked up its offering terms for Microsoft Outlook zero-day exploits.

Act accelerated if you person the goods and the motivation equanimity to marque up to $400,000 for a zero-click, remote-code execution (RCE) exploit.

The terms spike is lone temporary, with the extremity day inactive to beryllium determined, according to a Thursday post from Zerodium: runner of high-end, high-dollar, third-party bug-bounty programs.

“We are temporarily expanding our payout for Microsoft Outlook RCEs from $250,000 to $400,000. We are looking for zero-click exploits starring to distant codification execution erstwhile receiving/downloading emails successful Outlook, without requiring immoderate idiosyncratic enactment specified arsenic speechmaking the malicious email connection oregon opening an attachment. Exploits relying connected opening/reading an email whitethorn beryllium acquired for a little reward.” –Zerodium

As well, Zerodium has accrued payout to $200,000 for zero-click, RCE exploits affecting the Mozilla Thunderbird browser.
Infosec Insiders Newsletter

Similar to the Outlook exploits it’s hunting for, Zerodium is looking for zero-click exploits that tin execute RCE successful Thunderbird erstwhile targets are receiving oregon downloading emails, each without users having to assistance a finger.

We're presently paying up to $200,000 per exploit for Mozilla Thunderbird RCEs.

We're besides (temporarily) expanding our bounty for MS Outlook RCEs to $400,000 (from $250,000).

More details at:

— Zerodium (@Zerodium) January 27, 2022

Zero-click” means that targets neither person to work a malicious email connection nor unfastened a rigged attachment. Zerodium said that it mightiness inactive privation to acquisition those “they request to click” exploits, excessively – that is, for a little price.

The Trigger

Zerodium’s recently keen zeal for Outlook exploits came connected the aforesaid time that Trustwave SpiderLabs published details astir a caller mode to bypass an Outlook information diagnostic to present malicious links to victims.

As SpiderLabs pb menace designer Reegun Richard Jayapaul explained yesterday, helium discovered the contented aft coming crossed respective emails bypassing the email information strategy portion helium was investigating a malware campaign. He didn’t spot immoderate bypass techniques being used, though. “Instead, the flood of spear-phishing emails made the email information strategy let immoderate of the emails, astatine which constituent I began my probe connected Microsoft Outlook,” helium wrote.

SpiderLabs recovered that the specially crafted malicious nexus parsing connected the information strategy was weak. “This is not astir detection bypass; it is much astir the nexus parser of the email information systems that cannot place the emails containing the link,” Jayapaul said.

It turns retired that SpiderLabs recovered a saltation of a vulnerability, tracked arsenic CVE-2020-0696, that Microsoft initially dealt with successful February 2020.

The information diagnostic bypass vulnerability occurs successful Microsoft Outlook erstwhile it improperly handles the parsing of URI formats. Successful exploitation requires an attacker to usage the bypass successful conjunction with different vulnerability, specified arsenic a RCE vulnerability, earlier they could tally arbitrary code.

Because of improper hyperlink translation, the archetypal Outlook information diagnostic bypass allowed an attacker utilizing Outlook for Mac to wholly bypass Outlook’s email information systems and nonstop a clickable, malicious nexus – SpiderLabs utilized the illustration beneath – to a unfortunate connected Outlook for Windows.

http://trustwave[.]com with hyperlinked file:///malciouslink

The maliciously crafted nexus initially lone seemed to enactment if the attacker uses Microsoft Outlook for Mac and their intended unfortunate is connected Microsoft Outlook for Windows.

Exploitable connected Windows and Mac Outlook Clients

However, arsenic SpiderLabs researchers aboriginal came to find out, the vulnerability tin beryllium exploited connected some Windows and macOS Outlook lawsuit if a morganatic nexus is hyperlinked with “http:/://maliciouslink.”Jayapaul explained that the email strategy strips retired the “:/” characters and present the nexus arsenic “http://maliciouslink,” bypassing Microsoft ATP Safelink and different email information products.

“As per the CVE-2020-0696 patch, links with URI schemes volition alert arsenic a informing popup; besides ‘:/’ characters are stripped erstwhile delivered to users,” the researcher explained – an SpiderLabs had primitively recovered that erstwhile sending the http://trustwave[.]com with hyperlinked file:///malciouslink vector with hyperlink file:///, the email is delivered connected the victim’s’ Microsoft Outlook for Windows’ arsenic file:///,” SpiderLabs explained. “The nexus file:/// past translates to aft clicking.

“During this transmission from sender to receiver, the nexus file:/// is not recognized by immoderate email information systems and is delivered to the unfortunate arsenic a clickable link.”

The archetypal trial was done connected Microsoft M365 information diagnostic “Safelink protection” and aboriginal tested and confirmed connected aggregate email information systems, SpiderLabs confirmed.

Check retired our escaped upcoming unrecorded and on-demand online municipality halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.