Monthly Advisory • 10 MIN READ
June Threat Advisory – Top 5
by Eleanor Barlow • Jun 2023
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of June 2023.
Fortinet Released Patch to Fix Critical Pre-Authentication Remote Code Execution (RCE) Vulnerability in SSL VPN Devices.
Threat Reference: Global
Risks: Arbitrary Code Execution, Privilege Escalation, Denial of Service
Advisory Type: Updates/Patches
Priority: Elevated
Fortinet has released a patch for critical vulnerability (CVE-2023-27997) along with multiple vulnerabilities affecting Fortinet Products. Fortinet Security Researchers have observed that CVE-2023-27997 may have been exploited in a limited number of cases. Successful exploitation of the vulnerabilities may lead to Arbitrary Code Execution, Privilege Escalation, and/or Denial of Service.
Notable CVE ID and details:
- [Critical] – [CVSS: 9.2] – CVE-2023-27997: FortiOS & FortiProxy – Heap buffer overflow in sslvpn pre-authentication which may allow an attacker to execute arbitrary code.
- [High] – [CVSS: 8.3] – CVE-2023-29181: FortiOS – Format String Bug in Fclicense daemon which may allow an attacker to execute arbitrary code.
- [High] – [CVSS: 7.6] – CVE-2022-41327: FortiOS/FortiProxy – Read Only administrator can intercept sensitive data. An authenticated attacker may be able to escalate privilege.
- [High] – [CVSS: 7.3] – CVE-2023-29180: FortiOS – [Denial of Service] Null pointer dereference in sslvnd which may allow an unauthenticated remote attacker to crash SSL-VPN.
Affected products include FortiOS-6K7K version 7.0.10, FortiOS-6K7K version 7.0.5, FortiOS-6K7K version 6.4.12, FortiOS-6K7K version 6.4.10, FortiOS-6K7K version 6.4.8, FortiOS-6K7K version 6.4.6, FortiOS-6K7K version 6.4.2, FortiOS-6K7K version 6.2.9 through 6.2.13, FortiOS-6K7K version 6.2.6 through 6.2.7, FortiOS-6K7K version 6.2.4, FortiOS-6K7K version 6.0.12 through 6.0.16, FortiOS-6K7K version 6.0.10, FortiProxy version 7.2.0 through 7.2.3, FortiProxy version 7.0.0 through 7.0.9, FortiProxy version 2.0.0 through 2.0.12, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiOS version 7.2.0 through 7.2.4, FortiOS version 7.0.0 through 7.0.11, FortiOS version 6.4.0 through 6.4.12, FortiOS version 6.0.0 through 6.0.16, FortiOS 6.0 all versions.
Recommendation
It is recommended to update all affected products to their latest available patch version.
New JavaScript Dropper PindOS Delivering Bumblebee and IcedID Malware.
Threat Reference: Global
Risks: Malware
Advisory Type: Threats
Priority: Standard
Security researchers have observed a new JavaScript-based dropper called PindOS delivering IcedID and Bumblebee malware into the affected/victim computers. Both Bumblebee and IcedID malware are known infostealers.
How it works.
- Victim receives an email containing a malicious attachment (usually ZIP or ISO containing [.]lnk file pointing to remote ps1).
- After opening the malicious attachment, PindOS javascript [.]js based dropper gets de-obfuscated containing a single “exec” (execute) function – having four parameters such as UserAgent, URL1, URL2 and RunDLL.
- Upon execution of the dropper, it will attempt to download the payload initially from URL1, If URL1 is failed or unreachable then the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32[.]exe.
- The downloaded payload is saved to: %appdata%/Microsoft/Templates/<6-char-random-number>[.]dat
- The Execute (Exec) function later is called twice which invoke 4 separate URLs to retrieve the payload.
- The downloaded payloads are generated pseudo-randomly on-demand resulting in a new sample hash each time when a payload gets fetched to avoid signature-based detections.
It is observed that User-Agent: PindOS is used for this attack.
Domains/URLs:
- hxxps://qaswrahc.com/wp-content/out/mn[.]php
- hxxp://tusaceitesesenciales.com/mn[.]php
- hxxp://carwashdenham.com/mn[.]php
- hxxps://intellectproactive.com/dist/out/mn[.]php
- hxxps://masar-alulaedu.com/wp-content/woocommerce/out/berr[.]php
- hxxps://egyfruitcorner.com/wp-content/tareq/out/berr[.]php
- hxxps://tech21africa.com/wp-content/uploads/out/berr[.]php
- hxxps://www.posao-austrija.at/images/out/lim[.]php
- hxxps://logisticavirtual.org/wp-content/out/lim[.]php
- hxxps://adecoco.us/wp-content/out/lim[.]php
- hxxps://acsdxb.net/wp-content/out/lim[.]php
Recommendations
It is recommended to onboard all your external facing web servers with SecurityHQ SOC to monitor similar attack techniques. SecurityHQ recommends blocking unknown file extensions on Email Gateway. Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints. Monitor your IT infrastructure 24×7 for cybersecurity attacks and suspicious activities.
Microsoft Released June 2023 Patch Tuesday for 78 flaws including 38 Remote Code Execution Vulnerabilities.
Threat Reference: Global
Risks: Remote Code Execution, Privilege Escalation, Security Feature Bypass, Information Disclosure, Denial of Service.
Advisory Type: Updates/Patches
Priority: Standard
Microsoft has recently unveiled the June 2023 Patch Tuesday, a comprehensive update aimed at addressing a total of 78 vulnerabilities which includes 38 Remote Code Execution Vulnerabilities. The successful exploitation of these vulnerabilities could result in Remote Code Execution, consequently facilitating Privilege Escalation, Information Disclosure, Security Feature Bypass or Denial of Service activities.
- [Critical] – CVE-2023-29357: [CVSS – 9.8] – Microsoft SharePoint Server Elevation of Privilege Vulnerability.
- [Critical] – CVE-2023-29363: [CVSS – 9.8], CVE-2023-32014: [CVSS – 9.8], and CVE-2023-32015: [CVSS – 9.8] – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability.
- [High] – CVE-2023-32031: [CVSS – 8.8] – Microsoft Exchange Server Remote Code Execution Vulnerability.
- [High] – CVE-2023-29362: [CVSS – 8.8] – Remote Desktop Client Remote Code Execution Vulnerability.
- [High] – CVE-2023-29372: [CVSS – 8.8] – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability.
- [High] – CVE-2023-29373: [CVSS – 8.8] – Microsoft ODBC Driver Remote Code Execution Vulnerability.
- [High] – CVE-2023-32009: [CVSS – 8.8] – Windows Collaborative Translation Framework Elevation of Privilege Vulnerability.
- [High] – CVE-2023-33131: [CVSS – 8.8] – Microsoft Outlook Remote Code Execution Vulnerability.
- [High] – CVE-2023-28310: [CVSS – 8] – Microsoft Exchange Server Remote Code Execution Vulnerability.
- [High] – CVE-2023-24936: [CVSS – 8.1] – .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability.
- [High] – CVE-2023-29351: [CVSS – 8.1] – Windows Group Policy Elevation of Privilege Vulnerability.
- [High] – CVE-2023-29358: [CVSS – 7.8] – Windows GDI Elevation of Privilege Vulnerability.
- [High] – CVE-2023-29359: [CVSS – 7.8] – GDI Elevation of Privilege Vulnerability.
- [High] – CVE-2023-29360: [CVSS – 7.8] – Windows TPM Device Driver Elevation of Privilege Vulnerability.
- [High] – CVE-2023-29371: [CVSS – 7.8] – Windows GDI Elevation of Privilege Vulnerability.
- [High] – CVE-2023-29361: [CVSS – 7] – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability.
Recommendations
Keep applications and operating systems running at the current released patch level. Run software with the least privileges.
New APT Group [CL-STA-0043] Strikes Middle East and Africa, Targeting Microsoft Exchange & IIS Servers.
Threat Reference: Middle East & Africa (MEA)
Risks: Malware
Advisory Type: Threats
Priority: Standard
Security researchers have detected a new and highly active threat actor, identified as [CL-STA-0043], conducting targeted attacks against governmental organizations in the Middle East and Africa.
This threat actor employs sophisticated techniques to exploit on-premises Internet Information Services (IIS) and Microsoft Exchange Servers, aiming to gain unauthorized access and exfiltrate sensitive information.
TTPs are as follows:
- Initially, attackers exploit multiple zero-day vulnerabilities in Exchange and IIS servers.
- They then deploy various kinds of web shells, providing access to the compromised network via a remote shell.
- Upon successful penetration into the network, they identify critical assets such as administrative accounts and important servers.
- The actors utilize local privilege escalation tools like JuicyPotatoNG and SharpEfsPotato to create administrative accounts.
- The attacks involve the use of well-known privilege escalation techniques, such as “sticky keys,” and an IIS privilege escalation tool called “Iislpe.exe.”
- To facilitate lateral movement, threat actors introduce a new penetration testing toolset named “Yasso,” capable of performing remote actions.
- Finally, the actors abuse the Exchange Management Shell (exshell.psc1) or execute multiple PowerShell scripts to exfiltrate targeted emails.
Recommendations
1. Follow the CIS Benchmark for IIS Servers: Implementing the CIS (Center for Internet Security) Benchmark for IIS Servers is strongly recommended. This industry-standard provides comprehensive best practices and guidelines to enhance the security posture of your IIS servers, ensuring they are properly configured and protected against known vulnerabilities.
2. Enhance your endpoint security by deploying advanced Endpoint Detection & Response (EDR) tools. These tools leverage sophisticated techniques and algorithms to detect and respond to the latest malware threats, as well as identify suspicious activities on endpoints.
3. Establish 24/7 round-the-clock monitoring of your IT infrastructure to effectively detect and respond to cybersecurity attacks and suspicious activities.
VMware Fixed Multiple Critical and High Severity Vulnerabilities in Aria Operations Networks.
Threat Reference: Global
Risks: Remote Code Execution, Information Disclosure
Advisory Type: Updates/Patches
Priority: Standard
VMware has released patches for critical and high severity vulnerabilities affecting VMware Aria Operations for Networks. Exploiting these flaws could result in Remote Code Execution (RCE) and Information Disclosure. Affected products include VMware Aria Operations Networks.
Recommendation
It is recommended to update affected product to its latest available patch version.
Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.
Related Content
6 Cloud Vulnerabilities to Look Out For in 2023
Most companies are highly dependent on cloud hosting for storage and computing. As much as it helps as a central storage and processing unit, the cyber risks associated with Cloud are on the rise.
Anonymous Sudan Amidst a Wave of Attacks Against the UAE. What You Need to Know.
the United Arab Emirates has faced a wave of well-publicised hacktivist campaigns, capturing the attention of organisations and their security teams. Among the prominent groups involved are believed to be Killnet and their affiliate, known as Anonymous Sudan.
Understanding Business Security Posture
What is a Security Posture? A Security Posture refers to an organisations/business state of cyber security, and their readiness to respond and react accordingly to cyber attacks, as well as their ability to recover from successful attacks. Factors included when weighing up a companies security posture are the visibility of software and hardware assets, services, […]
The Digital Operational Resilience Act (DORA); Challenges and Solutions
Financial entities in the European Union and their ICT providers must comply with DORA by January 17, 2025. Learn what DORA is, the key pillars, the changes needed, and why it is required.
