Threat Bulletin | August 22

Sources:

• https://www.bleepingcomputer.com/news/security/microsoft-office-update-breaks-actively-exploited-rce-attack-chain/   
• https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV230003 

Affected Entities: Microsoft Office

Detailed Description: 

• Microsoft has released a critical defense-in-depth update for Microsoft Office, effectively thwarting an actively exploited remote code execution (RCE) vulnerability tracked as CVE-2023-36884. Threat actors, including the RomCom threat group, had leveraged this vulnerability for financial and espionage-driven attacks. 
• The office update provides enhanced security measures as a defense in-depth strategy to halt the attack chain behind CVE-2023-36884.
• Hackers targeted this vulnerability through malicious Microsoft Office documents, triggering an attack chain that could lead to a high loss of confidentiality, integrity, and availability. 

Recommendations:

• Microsoft recommends immediate installation of the Office updates, alongside this month’s Windows updates, to mitigate the risk of exploitation. 
• These updates can be found in the following Security Advisory by Microsoft (ADV230003) in the link below: 
  • https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV230003

Sources:

• https://www.bleepingcomputer.com/news/security/new-downfall-attacks-on-intel-cpus-steal-encryption-keys-data/  
• https://downfall.page/  

Affected Entities: Intel CPUs 

Detailed Description: 

• A senior Google research scientist has unveiled Downfall attacks, exploiting a vulnerability in Intel microprocessors (CVE-2022-40982) to steal passwords, encryption keys, and sensitive data from users sharing the same computer. The flaw affects multiple Intel microarchitectures, spanning Skylake through Ice Lake. 
• Downfall attacks leverage gather instructions, capitalizing on memory optimizations in Intel processors, to access internal vector register file content during speculative execution. Exploiting this, hackers can extract sensitive information, including Software Guard eXtensions (SGX)-protected data. 
• Successful exploitation leads to unauthorized access to encrypted data, emails, messages, banking info, and other private information. 
• Intel has collaborated with the researcher and issued a microcode update to mitigate the vulnerability. Users are advised to install updates promptly. 

Recommendations:

• Apply provided microcode updates to safeguard against Downfall attacks. 
  • https://downfall.page
• Exercise caution when opening emails and downloading files from untrusted sources.

Sources:

• https://thehackernews.com/2023/08/cybercriminals-increasingly-using.html

Affected Entities: Company Executives

Detailed Description: 

• Cybercriminals are increasingly employing the EvilProxy Phishing Kit, a phishing-as-a-service (PhaaS) toolkit, to execute account takeover attacks targeting high-ranking executives at prominent companies.
• Proofpoint reported an ongoing hybrid campaign utilizing EvilProxy to target thousands of Microsoft 365 user accounts, sending over 120,000 phishing emails to organizations worldwide between March and June 2023.
• The attacks primarily focus on C-level executives, including CEOs (9%) and CFOs (17%), along with personnel accessing financial assets or sensitive information. Nearly 35% of the compromised users had additional account protections enabled. 
• Threat actors are adopting adversary-in-the-middle (AitM) phishing kits to bypass multi-factor authentication (MFA) security layers. Automation aids in distinguishing high-level profiles for immediate account access. 
•  

Recommendations:

• Organizations should educate employees about phishing threats and reinforce the importance of MFA. Deploy advanced threat protection solutions and monitor for suspicious email activity targeting high-profile individuals. 

Sources:

• https://www.darkreading.com/ics-ot/xworm-remcos-rat-evade-edrs-infect-critical-infrastructure  
• https://www.darkreading.com/threat-intelligence/remcos-rat-spyware-machines-cloud-servers  

Affected Entities:

• All Organizations

IOCs:

• freshinxworm[.]ddns[.]net 
• churchxx[.]ddns[.]net 
• plunder[.]ddnsguru[.]com 
• plunder[.]dedyn[.]io 
• plunder[.]jumpingcrab[.]com 

Detailed Description: 

• A sophisticated phishing campaign leveraging the Rust-based injector ‘Freeze[.]rs’ has emerged, targeting critical infrastructure across Europe and North America.  
• This campaign utilizes malicious PDF files disguised as LNK files to trigger a PowerShell script, initiating the ‘Freeze[.]rs’ injector along with XWorm malware and Remcos RAT infections. These attacks are designed to bypass endpoint detection and response (EDR) measures. 
• The campaign begins with a booby-trapped PDF file that employs a “search-ms” protocol to deliver the payload. ‘Freeze[.]rs’ injector exploits EDR delays by injecting shellcode through NT syscalls. SYK Crypter aids persistence, encryption, and obfuscation. Multi-layered strategies challenge static analysis, including encoding, string obfuscation, and payload encryption. The attack even recognizes specific security vendors and can terminate itself. 

Recommendations:

• Exercise caution when opening emails and downloading files from untrusted sources. 
• Organizations must enhance phishing awareness by educating employees on spotting and reporting suspected phishing attempts. 

Sources:

• https://thehackernews.com/2023/08/qwixxrat-new-remote-access-trojan.html 
• https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram 

Affected Entities: Telegram and Discord users

Detailed Description: 

• The QwixxRAT Trojan has been advertised for sale by threat actors through Telegram and Discord platforms. Once installed on a victim’s Windows machine, the trojan discreetly collects sensitive information, transmitting it to the attacker’s Telegram bot.  
• This trojan gathers various data types, including web browser history, cookies, credit card details, keystrokes, screenshots, and data from specific applications like Steam and Telegram.  
• The trojan includes a clipboard clipper to access sensitive information copied to the clipboard, and to conduct illicit transfers from cryptocurrency wallets. The command-and-control (C2) functionality is managed through a Telegram bot, allowing the attacker to issue commands for additional actions, including audio and webcam recordings and remote shutdown or restart of infected systems. 
• The C# based binary employs anti-analysis evasion tactics that include a sleep function to introduce a delay in the execution process and run checks to determine whether it’s operating within a sandbox or virtual environment. It can also halt its activities when specific processes associated with analysis or monitoring are detected. 
• The tool is offered in the following versions: a limited free version, weekly access for 150 rubles, and a lifetime license for 500 rubles. 

Recommendations:

• Users should exercise caution when downloading and installing software from untrusted sources, particularly from platforms like Telegram and Discord. 

Sources:

• https://www.bleepingcomputer.com/news/microsoft/microsoft-enables-windows-kernel-cve-2023-32019-fix-for-everyone/ 
• https://support.microsoft.com/en-us/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080#:~:text=Resolution-,IMPORTANT,-The%20resolution%20described

Affected Entities: Microsoft Windows Kernel

Detailed Description: 

• Microsoft has activated a fix for a Kernel information disclosure vulnerability, CVE-2023-32019, for all users. The vulnerability was initially disabled due to concerns about potential disruptions to the Windows operating system.  
• Google Project Zero security researcher Mateusz Jurczyk discovered the flaw, which allows authenticated attackers to access privileged process memory and extract information.  
• Though not known to have been exploited, Microsoft released an update with the fix disabled to prevent potential issues. Users had to manually enable the update by modifying registry values. Microsoft has now enabled the fix by default in the August 2023 Patch Tuesday updates, making it apply automatically through Windows updates. 

Recommendations:

• We recommend installing Windows security updates released on or after August 8, 2023, to address the vulnerability associated with CVE-2023-32019. The Windows security updates released on or after August 8, 2023, have the resolution enabled by default.
• If you install Windows security updates released in June 2023 or July 2023, you will have to enable the resolution to be protected by setting a registry key value based on your Windows operating system listed in the Resolution section that corresponds to your Windows Operating System using the Microsoft Support Link found below: 
  • How to manage the vulnerability associated with CVE-2023-32019 

Sources:

• https://www.bleepingcomputer.com/news/security/colorado-warns-4-million-of-data-stolen-in-ibm-moveit-breach/

Affected Entities: Health First Colorado Members

Detailed Description: 

• The Colorado Department of Health Care Policy & Financing (HCPF) has alerted over four million individuals about a data breach impacting their personal and health information.  
• The breach was carried out by exploiting a zero-day vulnerability (CVE-2023-34362) in the IBM MOVEit Transfer software by Clop ransomware.  
• The breach was not directly against HCPF systems but via their contractor, IBM. While HCPF confirmed its systems were not directly compromised, files containing sensitive data of Health First Colorado and Child Health Plan Plus members were accessed and potentially exfiltrated by unauthorized actors. 
• The exposed data includes Social Security Numbers, medical IDs, addresses, and clinical and health insurance information, which can facilitate phishing, fraud, and identity theft. 

Recommendations:

• Affected individuals should monitor their financial and personal accounts for suspicious activity. They should also be cautious of unsolicited communications, especially those requesting personal information or financial details.  
• Utilize the offered credit monitoring services provided by Experian for the two-year period to help detect fraudulent activities. Regularly change passwords and enable two-factor authentication where possible. 

Sources:

• https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-returns-with-new-stealthier-version/

Affected Entities: Individuals and organizations

Detailed Description: 

• The developers of Raccoon Stealer have released a new version of the malware, 2.3.0. This new version includes several new features that make it easier and safer to use, including a quick search tool, a system that counters suspicious activities, and a reporting system that detects and blocks IPs used by security researchers. 
• Key improvements in Raccoon 2.3.0 include: 
  • A quick search tool aiding hackers in locating specific stolen data within extensive datasets. 
  • A system countering suspicious activities tied to security-assisting bots, which deletes records and updates client pads accordingly. 
  • A visual representation of IP address activity profile scores indicates the bot activity’s likelihood. 
  • A reporting system to block IPs used by security researchers monitoring the malware’s traffic. 
  • A Log Stats panel offering users an overview of operations and targeted regions. 
• Information stealers like Raccoon significantly threaten individuals and businesses by accessing sensitive data. They can potentially bypass multi-factor authentication using stolen session cookies. 

Recommendations:

• To protect against Raccoon Stealer and all info stealers, password managers should be used instead of storing credentials on the browser. 

SOC Response:

• The SOC actively monitors this threat and will update clients with any detections implemented as more information becomes available. 

Sources:

• https://www.bleepingcomputer.com/news/security/ivanti-avalanche-impacted-by-critical-pre-auth-stack-buffer-overflows/  
• https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US 

Affected Entities:

• Ivanti Avalanche (6.4.0.0) 

Detailed Description: 

• Two critical stack-based buffer overflow vulnerabilities, CVE-2023-32560, have been identified in the Ivanti Avalanche enterprise mobility management (EMM) solution.  
• These vulnerabilities allow remote attackers to execute arbitrary code without user authentication. The affected component, WLAvalancheService.exe version 6.4.0.0 and older, can be exploited by sending specially crafted data packets over TCP port 1777.  
• The vulnerabilities were responsibly disclosed by Tenable researchers and subsequently addressed by Ivanti in the August 3, 2023, security update (Avalanche version 6.4.1). 

Recommendations:

• Organizations utilizing Ivanti Avalanche should update their software to the latest version (6.4.1) to mitigate the critical vulnerabilities and associated risks.  
  • https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US

Sources:

• https://thehackernews.com/2023/08/cisa-adds-citrix-sharefile-flaw-to-kev.html  
• https://viz.greynoise.io/tag/citrix-sharefile-rce-attempt?days=30

Affected Entities: Citrix ShareFile

Detailed Description:

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified a critical security flaw in the Citrix ShareFile storage zone controller. 
• This flaw, tracked as CVE-2023-24489, is actively exploited by attackers in real-world scenarios. The vulnerability has a CVSS score of 9.8 and is categorized as an improper access control bug. 
• Exploiting this flaw could allow unauthenticated attackers to compromise vulnerable instances remotely. 
• The vulnerability stems from Citrix ShareFile’s mishandling of cryptographic operations, enabling adversaries to upload arbitrary files and execute remote code. 
• While the attackers’ identity is unknown, the Cl0p ransomware gang is known for targeting similar vulnerabilities. GreyNoise, a threat intelligence firm, reported a notable surge in exploitation attempts, with 75 unique IP addresses recorded on August 15, 2023 
• The flaw allows attackers to perform unauthenticated arbitrary file uploads and remote code execution due to a cryptographic bug in Citrix ShareFile’s Storage Zones Controller. 
• A related critical vulnerability (CVE-2023-3519) affecting Citrix’s NetScaler product has been identified, allowing attackers to deploy PHP web shells for persistent access.

Recommendations: 

• Organizations using Citrix ShareFile should apply patch 5.11.24 using the link below: 
  • https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489

Sources:

• https://www.bleepingcomputer.com/news/technology/ongoing-duo-outage-causes-azure-auth-authentication-errors/

Affected Entities: Duo Security

Detailed Description: 

• Duo Security, a multi-factor authentication (MFA) provider owned by Cisco, is currently investigating an ongoing outage causing authentication failures and errors. The outage has led to Core Authentication Service issues, resulting in Azure Auth authentication errors for Azure Conditional Access integrations. 
• While some Azure Auth issues resolved automatically, customers continue to face problems, including authentication slowness and login failures. Users also encounter “System under heavy load” errors while trying to sign in using Duo. 
• Duo is actively working to correct the issue causing authentication errors and slowness. They are making efforts to restore normal service and functionality. 
• Major outages impact Duo’s cloud-hosted single sign-on (SSO) and push delivery services, while HTTPS (TCP/443) and LDAP(S) (TCP/389) endpoints for Core Authentication Service experience a partial outage. 

Recommendations:

• Organizations relying on Duo Security services for MFA, SSO, and access control should closely monitor the situation and keep their users informed. Consider implementing alternative authentication measures temporarily if needed. 

Sources:

• https://www.darkreading.com/application-security/powershell-gallery-prone-to-typosquatting-other-supply-chain-attacks

Affected Entities:

• Microsoft’s PowerShell Gallery 

Detailed Description: 

• Microsoft’s PowerShell Gallery poses a supply chain risk due to weak defenses against uploading malicious packages. 
• Aqua Nautilus researchers found that attackers can easily spoof legitimate packages, making it hard for users to identify genuine ones. 
• Despite claims of fixes, vulnerabilities persist as of August 16.
• Lack of protection against typosquatting and lax package naming rules create openings for deception and malicious uploads. 
• Threat actors can falsify package details, leading users to download malicious content from seemingly legitimate sources. 
• Aqua’s analysis revealed that a PowerShell Gallery API allowed threat actors to find unlisted modules on the registry, potentially exposing sensitive data associated with those modules. 
• Microsoft’s scans and security measures are in place, but maintaining security remains an ongoing challenge. 

Recommendations:

• Organizations using PowerShell modules from the gallery should prioritize signed modules and exercise caution when downloading modules/scripts.