Monthly Advisory • 10 MIN READ
December 2023 Threat Advisory – Top 5
by Eleanor Barlow • Dec 2023
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of December 2023.
Security Researchers Discovered New Tool Set Targeting Organization Across Multiple Regions
Threat Reference: Global
Risks: Malware
Advisory Type: Threats
Priority: Standard
Security researchers have observed a series of attacks against Education, Real estate, Retail, Telecom companies and Governments organizations across Middle East, Africa, and the U.S.
It has been observed that the attackers are using the following tools:
• “Agent Racoon” – A backdoor written using the .NET framework.
• “Ntospy” – A custom DLL module designed to steal user credentials.
• “Mimilitr” – A customized version of Mimikatz.
Successful execution of the malwares can allow the attacker to gain complete access to the affected machines, along with capabilities to dump credentials in plain text and perform file uploads and downloads.
Indicators of compromise (IOCs) File Names:
- install[.]bat
- ntos[.]dll
- ntoskrnl[.]dll
- onedriveupdater[.]exe
- mslb[.]ps1
- set_time[.]bat
- pscan[.]ps1
- crs[.]ps1
- usr[.]ps1
- pb[.]ps1
- ebat[.]bat
- pb1[.]ps1
- raren[.]exe
- Domains/URLs:
- geostatcdn[.]com
- telemetry.geostatcdn[.]com
- fdsb.telemetry.geostatcdn[.]com
- dlbh.telemetry.geostatcdn[.]com
- lc3w.telemetry.geostatcdn[.]com
- hfhs.telemetry.geostatcdn[.]com
- geoinfocdn[.]com
- telemetry.geoinfocdn[.]com
- g1sw.telemetry.geoinfocdn[.]com
Recommendations:
- Update and Patch Systems: Ensure all software and applications are up to date with the latest security patches to minimize vulnerabilities.
- Segment Networks: By dividing the computer network into smaller more isolated segments or subnetworks to limit or block lateral movement.
- Deploy EDR: Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.
- Use Multi-factor Authentication (MFA): Enforce MFA for critical accounts and sensitive data to add an extra layer of security.
Apple Released Security Update to Address Multiple Vulnerabilities Affecting Apple Products
Threat Reference: Global
Risks: Arbitrary Code Execution, Memory Corruption, Out-of-bounds Read
Advisory Type: Updates/Patches
Priority: Standard
Apple has released patches to fix two key vulnerabilities in their products. Successful exploitation of these vulnerabilities could lead to Arbitrary Code Execution, Memory Corruption, and Out-of-bounds Read.
What is Arbitrary Code Execution? In essence, Arbitrary Code Execution is the bad actor’s capability to run code or commands on the victim’s machine or process.
What is Memory Corruption? This is when the memory location is modified by the bad actor.
What is Out-of-Bounds Read Vulnerability? Otherwise known as a CWE-125 vulnerability, Out-of-Bounds Read occurs when a program reads data from a memory that if from outside the buffer zone.
- CVE-2023-42916: An Out-of-Bounds Read was addressed with improved input validation.
- CVE-2023-42917: A memory corruption vulnerability was addressed with improved locking.
Affected Products include macOS Monterey and macOS Ventura, iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later, and macOS Sonoma.
Recommendation: For a permanent fix, it is recommended to update all the affected products to their latest available patch version.
Fortinet Addresses Security Updates to Fix Multiple High Severity Vulnerabilities in Fortinet Products
Threat Reference: Global
Risks: Arbitrary Code Execution
Advisory Type: Updates/Patches
Priority: Standard
Fortinet has released patches to fix several high severity vulnerabilities affecting multiple Fortinet products. Successful exploitation of these vulnerabilities may lead to Arbitrary Code Execution.
Notable CVE ID and Details:
- [High] – CVE-2023-41678 [CVSS Score 8.3] – A double free vulnerability in FortiOS and FortiPAM HTTPSd daemon may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted commands.
- [High] – CVE-2023-36639 [CVSS Score 7] – A format string vulnerability in the HTTPSd daemon of FortiOS, FortiProxy and FortiPAM may allow an authenticated user to execute unauthorized code or commands via specially crafted API requests.
Affected Products include FortiOS 7.0 through 7.0.5, FortiPAM 1.1 through 1.1.1, FortiPAM 1.0 all versions, FortiOS 7.4, FortiOS 7.2 through 7.2.4, FortiOS 7.0 through 7.0.11, FortiOS 6.4 through 6.4.12, FortiOS 6.2 through 6.2.15, FortiOS 6.0 all versions, FortiPAM 1.1, FortiPAM 1.0 all versions, FortiProxy 7.2 through 7.2.4, FortiProxy 7.0 through 7.0.10
Recommendation: It is recommended to update all the affected products to their latest available patch version.
Google Fixed Multiple Memory Corruption Vulnerabilities in Chrome
Threat Reference: Global
Risks: Updates/Patches
Advisory Type: Corruption
Priority: Standard
Google has released the Chrome version 120.0.6099.109 for Mac, Linux and 120.0.6099.109/110 for Windows to fix High and Medium Severity Vulnerabilities.
Notable CVE’s:
- [High] – CVE-2023-6702 – Type Confusion in V8
- [High] – CVE-2023-6703 – Use after free in Blink
- [High] – CVE-2023-6704 – Use after free in Libavif
- [High] – CVE-2023-6705 – Use after free in WebRTC
- [High] – CVE-2023-6706 – Use after free in FedCM
- [Medium] – CVE-2023-6707 – Use after free in CSS
Recommendation: For a permanent fix it is recommended to update all the affected products to their latest available patch version.
Microsoft Released December 2023 Patch Tuesday for 34 Flaws including 01 Zero-Days
Threat Reference: Global
Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.
Advisory Type: Updates/Patches
Priority: Standard
Microsoft has released their Patch Tuesday for December 2023 with Security Updates for 34 flaws, including 01 actively exploited vulnerability. Successful exploitation of this vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing, and Denial of Service.
Notable CVE’S:
- [Zero-Day] – CVE-2023-35628 – Windows MSHTML Platform Remote Code Execution Vulnerability
- [Critical] – CVE-2023-36019 – Microsoft Power Platform Connector Spoofing Vulnerability
- [Critical] – CVE-2023-35630 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
- [Critical] – CVE-2023-35641 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
- [Important] – CVE-2023-21740 – Windows Media Remote Code Execution Vulnerability
- [Important] – CVE-2023-35619 – Microsoft Outlook for Mac Spoofing Vulnerability
- [Important] – CVE-2023-35621 – Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability
- [Important] – CVE-2023-35622 – Windows DNS Spoofing Vulnerability
- [Important] – CVE-2023-35624 – Azure Connected Machine Agent Elevation of Privilege Vulnerability
- [Important] – CVE-2023-35625 – Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability
- [Important] – CVE-2023-35629 – Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability
- [Important] – CVE-2023-35631 – Win32k Elevation of Privilege Vulnerability
- [Important] – CVE-2023-35632 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- [Important] – CVE-2023-35633 – Windows Kernel Elevation of Privilege Vulnerability
- [Important] – CVE-2023-35634 – Windows Bluetooth Driver Remote Code Execution Vulnerability
- [Important] – CVE-2023-35635 – Windows Kernel Denial of Service Vulnerability
- [Important] – CVE-2023-35636 – Microsoft Outlook Information Disclosure Vulnerability
- [Important] – CVE-2023-35638 – DHCP Server Service Denial of Service Vulnerability
- [Important] – CVE-2023-35639 – Microsoft ODBC Driver Remote Code Execution Vulnerability
- [Important] – CVE-2023-35642 – Internet Connection Sharing (ICS) Denial of Service Vulnerability
- [Important] – CVE-2023-35643 – DHCP Server Service Information Disclosure Vulnerability
- [Important] – CVE-2023-35644 – Windows Sysmain Service Elevation of Privilege
- [Important] – CVE-2023-36003 – XAML Diagnostics Elevation of Privilege Vulnerability
- [Important] – CVE-2023-36004 – Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability
- [Important] – CVE-2023-36005 – Windows Telephony Server Elevation of Privilege Vulnerability
- [Important] – CVE-2023-36006 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] – CVE-2023-36009 – Microsoft Word Information Disclosure Vulnerability
- [Important] – CVE-2023-36010 – Microsoft Defender Denial of Service Vulnerability
- [Important] – CVE-2023-36011 – Win32k Elevation of Privilege Vulnerability
- [Important] – CVE-2023-36012 – DHCP Server Service Information Disclosure Vulnerability
- [Important] – CVE-2023-36020 – Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
- [Important] – CVE-2023-36391 – Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
- [Important] – CVE-2023-36696 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
- [Moderate] – CVE-2023-35618 – Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Affected Microsoft Products include Windows, Microsoft Dynamics, Azure, Microsoft Office, Microsoft Bluetooth Driver, and SQL Server.
Recommendation: Permanent Fix -It is recommended to update all the affected products to the latest available patch version.
Threat Intelligence for the Future
SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.
For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.
Related Content
November 2023 Threat Advisory – Top 5
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of November 2023 - Top 5!
Rising Cyber Threats in the Middle East – A Virtual Battleground
Middle eastern nations, their current cybersecurity challenges and what they are doing to help combat threats.
![8 Top Tips to Improve Your Cloud Security [Infographic]](https://www.securityhq.com/wp-content/uploads/2023/06/Tips-to-improve-Cloud-Security-528x347-1.png)
8 Top Tips to Improve Your Cloud Security [Infographic]
Most of us use Google Drive, or Google Dropbox, Apple (i-Cloud), Amazon Web Services. But with so many vulnerabilities in Cloud, how do you ensure that your important data stays safe? Here are our top tips to keep in mind when securing your data! Be Careful Where You Upload Data Especially confidential data like financial […]
