July Threat Advisory – Top 5

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of July 2023.

Apple Released Security Update to Address Vulnerability in Their Products.

Threat Reference: Global

Risks: Arbitrary Code Execution

Advisory Type: Updates/Patches

Priority: Standard

Apple has released a security update to address a critical vulnerability in their products. Successful exploitation of this vulnerability could lead to arbitrary code execution.

Affected Products include macOS Big Sur, macOS Monterey, iOS 16.5.1 and iPadOS 16.5.1, macOS Ventura 13.4.1.

Recommendation: It is recommended to update the affected products to their latest available versions/patch level.

Citrix Released Security Patch to Fix Critical and High Severity Vulnerability Impacting Citrix ADC and Citrix Gateway.

Threat Reference: Global

Risks: Elevation of Privilege, Remote Code Execution

Advisory Type: Updates/Patches

Priority: Standard

Citrix has released a security patch to fix Critical and High severity vulnerabilities affecting Citrix ADC and Citrix Gateway. Successful exploitation of these vulnerabilities by an attacker could lead to gaining NT AUTHORITY\SYSTEM privileges on a local system or Remote Code Execution.

Notable CVEs:

• [Critical] CVE-2023-24492 – Successful exploitation of vulnerability may lead to remote code execution.
• [High] CVE-2023-24491 – Successful exploitation of vulnerability will allow an attacker to elevate privileges to NT AUTHORITY\SYSTEM.

Affected Products include Citrix ADC and Citrix Gateway: All versions prior to 23.5.1.3 (Windows), and Citrix ADC and Citrix Gateway: All versions prior to 23.5.2 (Ubuntu).

Recommendation: It is recommended to update the affected products to their latest available versions/patch level.

New Multi-Stage TOITOIN Trojan Targeting Multiple Organizations.

Threat Reference: Global

Risks: Malware/Trojan

Advisory Type: Threats

Priority: Standard

Researchers have observed a new sophisticated and persistent malware named  TOITOIN targeting organizations globally. This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage.

The attack scenario follows the below steps.

1. The victim receives the phishing email with embedded link which on clicking redirects to multiple domains that downloads the randomly named Zip archive.

2. The zip contains executable file which on executing downloads the Downloader module.

3. The Downloader module downloads further stages, evading sandboxes and maintaining persistence using LNK files.

4. After that Krita Loader DLL and InjectorDLL module is sideloaded via a Signed Binary.

5. InjectorDLL Module Injects the ElevateInjectorDLL into the remote process (explorer.exe) which evades sandboxes, performs process hollowing, and injects either the TOITOIN Trojan or BypassUAC module based on process privileges.

6. BypassUAC Module then utilizes the COM Elevation Moniker to bypass User Account Control and execute the Krita Loader with administrative privileges.

7. The final payload, the TOITOIN Trojan, employs custom XOR decryption routines to decode the configuration file containing the Command & Control server’s URL.

8. It transmits the encoded system information, installed browsers details and the Topaz OFD Protection Module to the C&C server. In the absence of the configuration file, the information is sent via a POST request using curl.

Indicators of compromise (IOCs) Domains/URLs:

• ec2-3-89-143-150[.]compute-1[.]amazonaws[.]com/storage[.]php?e=Desktop-PC
• ec2-3-82-104-156[.]compute-1[.]amazonaws[.]com/storage.php?e=Desktop-PC
• http[:]//alemaoautopecas[.]com
• http[:]//contatosclientes[.]services
• atendimento-arquivos[.]com
• arquivosclientes[.]online
• fantasiacinematica[.]online
• http[:]//cartolabrasil[.]com
• 191[.]252[.]203[.]222/Up/indexW.php
• http[:]//bragancasbrasil[.]com
• http[:]//179[.]188[.]38[.]7
• http[:]//afroblack[.]shop/CasaMoveis\ClienteD.php

Recommendations

1. Block IOCs mentioned in this advisory on security devices.
2. Block unknown file extensions, executables, macro attached files on Email Gateway.
3. Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.
4. Monitor your IT infrastructure 24×7 for cybersecurity attacks and suspicious activities.

SonicWall Patched Multiple Critical and High Vulnerabilities in SonicWall GMS and Analytics.

Threat Reference: Global

Risks: Authentication Bypass, Sensitive Information Disclosure, Unrestricted File Upload, Command Injection, Path Traversal and SQL Injection

Advisory Type: Updates/Patches

Priority: Standard

SonicWall recently released security patches to fix multiple Critical and High vulnerabilities affecting its products. Successful exploitation of these vulnerabilities could allow an attacker to Bypass Authentication, Information Disclosure, Unrestricted File Upload, Command Injection, Path Traversal and SQL Injection.

Notable CVEs are: Affected Products include GMS – Virtual Appliance 9.3.2-SP1 and earlier versions, GMS – Windows 9.3.2-SP1 and earlier versions, and Analytics – 2.5.0.4-R7 and earlier versions.

Recommendation: It is recommended to update the affected products to their latest available versions/patch level.

Microsoft Release July 2023 Patch Tuesday for 132 Flaws, Including 6 zero-days and 37 Remote Code Execution Vulnerabilities.

Threat Reference: Global

Risks: Elevation of Privilege, Security Feature Bypass, Remote Code Execution, Information Disclosure, Denial of Service (DoS) and Spoofing

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released Patch Tuesday for July 2023, with security updates for 132 flaws, including six actively exploited and 37 Remote Code Execution vulnerabilities. Successful exploitation of these vulnerabilities could result in Elevation of Privilege, Security Feature Bypass, Remote Code Execution, Information Disclosure, Denial of Service (DoS) and Spoofing.

Notable CVE ID and details:

• [Critical] – CVE-2023-32057 : [CVSS – 9.8] – Microsoft Message Queuing Remote Code Execution Vulnerability
• [Critical] – CVE-2023-35367 : [CVSS – 9.8] – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
• [Critical] – CVE-2023-35366 : [CVSS – 9.8] – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
• [Critical] – CVE-2023-35365 : [CVSS – 9.8] – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
• [High] – CVE-2023-33160 : [CVSS – 8.8] – Microsoft SharePoint Server Remote Code Execution Vulnerability
• [High] – CVE-2023-33157 : [CVSS – 8.8] – Microsoft SharePoint Remote Code Execution Vulnerability
• [High] – CVE-2023-35315 : [CVSS – 8.8] – Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability
• [High] – CVE-2023-32049 : [CVSS – 8.8] – Windows SmartScreen Security Feature Bypass Vulnerability
• [High] – CVE-2023-35311 : [CVSS – 8.8] – Microsoft Outlook Security Feature Bypass Vulnerability
• [High] – CVE-2023-36884 : [CVSS – 8.3] – Office and Windows HTML Remote Code Execution Vulnerability
• [High] – CVE-2023-32046 : [CVSS – 7.8] – Windows MSHTML Platform Elevation of Privilege Vulnerability
• [High] – CVE-2023-36874 : [CVSS – 7.8] – Windows Error Reporting Service Elevation of Privilege Vulnerability
• [High] – CVE-2023-35352 : [CVSS – 7.5] – Windows Remote Desktop Security Feature Bypass Vulnerability
• [High] – CVE-2023-35297 : [CVSS – 7.5] – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
• [High] – CVE-2023-35312 : [CVSS – 7.3] – Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability

Recommendation: Keep applications and operating systems running at the current released patch level and run software with the least privileges.

Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.