May Threat Advisory – Top 5

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of May 2023.

APT37 Observed Targeting Organisations with RokRat Malware

Threat Reference: Global

Risks: Malware

Advisory Type: Threats

Priority: Standard

Security researchers discovered a new cyber espionage campaign that deploys RokRat malware. The attack scenario takes the following steps:

1) A malicious Microsoft Word document is sent via a spear-phishing campaign.

2) Upon opening the document, it invokes the execution of macros.

3) The macros check for Visual Basic project access via AccessVBOM registry key, to load additional code.

4) Macro decodes the multiple VBA scripts and executes them.

5) A second VBA Script executes ‘.exe’ which downloads and installs the ROKRAT payload.

6) ROKRAT steals sensitive information and exfiltrates via command and control (C2) servers.

Indicators of compromise (IOCs). Domains/URLs:

• link[.]b4a[.]app
• docx1[.]b4a[.]app
• naver-file[.]com
• nate-download[.]com
• daum-store[.]com
• naver-storage[.]com

Recommendation

1. Block unknown file extensions on Email Gateway.
2. Consider blocking macros from running within documents.
3. Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.
4. Monitor your IT infrastructure 24×7 for cybersecurity attacks and suspicious activities.

Cisco Fixed Multiple Critical and High-Severity Vulnerabilities in Cisco Switches

Threat Reference: Global

Risks: Arbitrary Code Execution, Information Disclosure, Denial of Service (DOS)

Advisory Type: Updates/Patches

Priority: Standard

Cisco has released patches for multiple Critical and High severity vulnerabilities affecting Cisco Small Business Series Switches. Successful exploitation of these vulnerabilities may lead to Arbitrary Code Execution, Information Disclosure or Denial of Service.

Notable CVE ID and details:

• [Critical] CVE-2023-20159, [Critical] CVE-2023-20160, [Critical] CVE-2023-20161, [Critical CVE-2023-20189: Improper validation of requests allows the attacker to remotely execute arbitrary code with root privileges.
• [High] CVE-2023-20024, [High] CVE-2023-20158, [High] CVE-2023-20157, [High] CVE-2023-20156: Improper validation of requests allows an attacker to cause a DoS condition.
• [High] CVE-2023-20162: Improper validation of requests allows an attacker to read unauthorized information.

Affected products:

• 250 Series Smart Switches
• 350 Series Managed Switches
• 350X Series Stackable Managed Switches
• 550X Series Stackable Managed Switches
• Business 250 Series Smart Switches
• Business 350 Series Managed Switches
• Small Business 200 Series Smart Switches
• Small Business 300 Series Managed Switches
• Small Business 500 Series Stackable Managed Switches

Recommendation

It is recommended to update affected products to its latest available patch version.

Microsoft Release May 2023 Patch Tuesday for 38 Flaws, Including 3 Zero-day

Threat Reference: Global

Risks:  Privilege Elevation, Security Feature Bypass, Remote code execution, Information Disclosure and Chromium Vulnerability

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released May 2023 Patch Tuesday to fix 38 vulnerabilities which includes 03 Zero-Days and 06 Critical severity vulnerabilities. Successful exploitation of these vulnerabilities could result in Privilege Elevation, Security Feature Bypass, Remote Code Execution, Information Disclosure and Chromium Vulnerability.

Notable CVE ID and details:

• CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability
• CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability
• CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability
• [Critical] – CVE-2023-24955: Microsoft SharePoint Server Remote Code Execution Vulnerability
• [Critical] – CVE-2023-28283: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
• [Critical] – CVE-2023-24941: Windows Network File System Remote Code Execution Vulnerability
• [Critical] – CVE-2023-24943: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
• [Critical] – CVE-2023-24903: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
• [Important] – CVE-2023-24947: Windows Bluetooth Driver Remote Code Execution Vulnerability
• [Important] – CVE-2023-29344: Microsoft Office Remote Code Execution Vulnerability
• [Important] – CVE-2023-24953: Microsoft Excel Remote Code Execution Vulnerability
• [Important] – CVE-2023-29340: AV1 Video Extension Remote Code Execution Vulnerability
• [Important] – CVE-2023-29341: AV1 Video Extension Remote Code Execution Vulnerability
• [Important] – CVE-2023-24905: Remote Desktop Client Remote Code Execution Vulnerability
• [Important] – CVE-2023-29338: Visual Studio Code Information Disclosure Vulnerability
• [Moderate] – CVE-2023-29354: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

Affected product family: Windows, Office, SharePoint, AV1 Video Extension, Teams, Visual Studio.

Recommendations

• Keep applications and operating systems running at the current released patch level.
• Run software with the least privileges.

Mozilla Fixed Multiple Vulnerabilities in Firefox 113 and Firefox ESR 102.11

Threat Reference: Global

Risks: Memo Memory Corruption, Bypass via clickjacking and Spoofing Attacks Corruption, Bypass via Clickjacking and Spoofing Attacks

Advisory Type: Updates/Patches

Priority: Standard

Mozilla has recently released security updates for Firefox and ESR to address high, medium, and low severity vulnerabilities.

Notable CVEs:

[High] CVE-2023-32205: Browser prompts could have been obscured by popups.

[High] CVE-2023-32206: Crash in RLBox Expat driver

[High] CVE-2023-32207: Potential permissions request bypass via clickjacking

[High] CVE-2023-32215: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11

[High] CVE-2023-32216: Memory safety bugs fixed in Firefox 113

[Medium] CVE-2023-32208: Leak of script base URL in service workers via import()

[Medium] CVE-2023-32209: Persistent DoS via favicon image

[Medium] CVE-2023-32210: Incorrect principal object ordering

[Medium] CVE-2023-32211: Content process crash due to invalid wasm code

[Medium] CVE-2023-32212: Potential spoof due to obscured address bar

[Medium] CVE-2023-32213: Potential memory corruption in FileReader::DoReadData()

[Medium] MFSA-TMP-2023-0002: Race condition in dav1d decoding

[Low] CVE-2023-32214: Potential DoS via exposed protocol handlers

Affected products: Firefox 113 and Firefox ESR 102.11   

Recommendation

It is recommended to update all the affected products to its latest available patch version.

VMware Fixed a High and Medium Severity Vulnerabilities in VMware Aria Operations

Threat Reference: Global

Risks: Privilege Escalation, Arbitrary Code Execution

Advisory Type: Updates/Patches

Priority: Standard

VMware has released patches for multiple vulnerabilities including High vulnerability affecting VMware Aria Operations. Successful exploitation of these vulnerabilities may lead to Privilege Escalation, Arbitrary Code Execution.

Notable CVE ID and details:

• [High]- CVE-2023-20877: VMware Aria Operations Privilege Escalation Vulnerability
• [Medium]- CVE-2023-20878: VMware Aria Operations Deserialization Vulnerability
• [Medium]- CVE-2023-20879: VMware Aria Operations Local Privilege Escalation Vulnerability
• [Medium]- CVE-2023-20880: VMware Aria Operations Local Privilege Escalation Vulnerability

Affected Products: VMware Aria Operations (formerly vRealize Operations)

Recommendations

It is recommended to update VMware Aria (formerly vRealize Operations) to its latest available patch version.

Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.