November 2023 Threat Advisory – Top 5

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of November 2023.

Increased Cyber Activity Due to Israel-Palestine Conflict

Threat Reference: Global

Risks: Network Denial of Service and Exploit of Public-Facing Application

Advisory Type: Threat Intel

Priority: Elevated

SecurityHQ have been monitoring the prevalence of Adversarial Cyber Activities that have occurred since the most recent conflict between Israel and Hamas. Our researchers have identified a notable increase in the number of adversarial actions and the association of various threat actors globally.

A significant number of adversarial groups have pledged their support and services to both sides in the conflict, with the majority siding alongside the Pro-Palestinian. Many appear to be adopting the stance of their home nation, with Pro-Russian groups, like “Killnet”, taking up digital arms against Israel and their supporters. Similarly, Pro-Israeli groups, like the “Kerala Cyber Xtractors” have been seen acting against Palestinian interests.

To date, SecurityHQ have observed 93 Pro-Palestinian Adversary Groups and 17 Pro-Israel Groups. For more information on what our analysts have observed regarding the different threat groups, read this blog from SecurityHQ on ‘Code of Conflict: The Global Cyber Divide Between Gaza and Israel’.

Notable Action

Whilst many threat actors are observed performing DDoS (Distributed Denial of Service), the techniques and impacts associated with the adversarial actions include:

• Network Denial of Service (T1498)
• Exploit Public-Facing Application (T1190)
• Data Manipulation (T1565)
• Supply Chain Compromise (T1195)
• System Information Discovery (T1082)

Other notable Pro-Palestinian adversarial actions include the publication of a mobile app, known as “Red Alert: Israel”, claiming to provide alerts for Israeli civilians of impending incoming rockets. Purported to be spyware, the app has the objective of intercepting alert requests and stealing sensitive data. The success of this campaign is reported as widespread over Israel and may have successfully gathered sensitive information from both iOS and Android users.

Collateral Damage

Many industries have been targeted, including Financial Services, Aerospace, Automobiles & Parts, Banks, Construction & Materials, Consulting Services, Defence, Education, Food & Beverage, Government, Health Care, Industrial Goods & Services, Insurance, Legal Services, Media, NGO, Oil & Gas, Pharmaceuticals & Biotechnology, Real Estate, Retail, Technology, Telecommunications, Travel & Leisure, and Utilities.

Recommendations

The consequences of the related cyber alliances worldwide are expected to be widespread. Organisations that have an association with entities or nations that have already taken a public or political stance, that is either Pro-Palestinian or Pro-Israel, may expect to be targeted.

Since most of these threat groups focus on DDoS attacks, SecurityHQ recommend hardening IT environments, including taking the following actions.

SecurityHQ recommends hardening IT environments to DDoS attacks.

• Enable rate limiting to restrict requests and prevent overwhelming network and resources.
• Filtering services provided by ISP, CDN or Cloud WAF providers to filter DoS traffic.
• Implement IP blocking to identify and block malicious IPs using WAF and threat intelligence.
• Enable CAPTCHA or challenges to differentiate between bots and legitimate users, reducing DDoS impact.
• Employ anomaly-based detection to identify abnormal traffic and trigger defensive actions.

Adobe Patches Multiple Critical Vulnerabilities Impacting Adobe Products

Threat Reference: Global

Risks: Arbitrary Code Execution, Memory Leak, Out-of-bounds Read/Write, Memory Corruption, Improper Access Control, Security Feature Bypass

Advisory Type: Updates/Patches

Priority: Standard

Adobe has released Security Updates to address Critical Vulnerabilities affecting a variety of products. Successful exploitation of these vulnerabilities may lead to Arbitrary Code Execution, Memory Leak, Out-of-bounds Read/Write, Memory Corruption, Improper Access Control, Security Feature Bypass.

Affected Products include ColdFusion 2023, ColdFusion 2021, RoboHelp Server, Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Adobe FrameMaker Publishing Server, Adobe After Effects, Adobe Premiere Pro, Photoshop 2023, Photoshop 2024, Adobe FrameMaker Publishing Server, Adobe InCopy, Adobe Media Encoder, Adobe Audition, Adobe Premiere Pro, and Adobe After Effects

Notable CVE’s

• [Critical] – CVE-2023-44350 – Arbitrary code execution
• [Critical] – CVE-2023-44351 – Arbitrary code execution
• [Critical] – CVE-2023-26347 – Security feature bypass
• [Critical] – CVE-2023-22273 – Arbitrary code execution
• [Critical] – CVE-2023-22272 – Memory leak
• [Critical] – CVE-2023-22274 – Memory leak
• [Critical] – CVE-2023-22275 – Memory leak
• [Critical] – CVE-2023-44336 – Arbitrary code execution
• [Critical] – CVE-2023-44337 – Arbitrary code execution
• [Critical] – CVE-2023-44338 – Arbitrary code execution
• [Critical] – CVE-2023-44359 – Arbitrary code execution
• [Critical] – CVE-2023-44365 – Arbitrary code execution
• [Critical] – CVE-2023-44366 – Arbitrary code execution
• [Critical] – CVE-2023-44367 – Arbitrary code execution
• [Critical] – CVE-2023-44371 – Arbitrary code execution
• [Critical] – CVE-2023-44372 – Arbitrary code execution
• [Critical] – CVE-2023-44330 – Arbitrary code execution
• [Critical] – CVE-2023-44324 – Security feature bypass
• [Critical] – CVE-2023-26368 – Arbitrary code execution
• [Critical] – CVE-2023-47040 – Arbitrary code execution
• [Critical] – CVE-2023-47041 – Arbitrary code execution
• [Critical] – CVE-2023-47042 – Arbitrary code execution
• [Critical] – CVE-2023-47043 – Arbitrary code execution
• [Critical] – CVE-2023-47046 – Arbitrary code execution
• [Critical] – CVE-2023-47047 – Arbitrary code execution
• [Critical] – CVE-2023-47048 – Arbitrary code execution
• [Critical] – CVE-2023-47049 – Arbitrary code execution
• [Critical] – CVE-2023-47050 – Arbitrary code execution
• [Critical] – CVE-2023-47051 – Arbitrary code execution
• [Critical] – CVE-2023-47055 – Arbitrary code execution
• [Critical] – CVE-2023-47056 – Arbitrary code execution
• [Critical] – CVE-2023-47057 – Arbitrary code execution
• [Critical] -CVE-2023-47058 – Arbitrary code execution
• [Critical] -CVE-2023-47059 – Arbitrary code execution
• [Critical] – CVE-2023-47066 – Arbitrary code execution
• [Critical] – CVE-2023-47067 – Arbitrary code execution
• [Critical] – CVE-2023-47068 – Arbitrary code execution
• [Critical] – CVE-2023-47069 – Arbitrary code execution
• [Critical] – CVE-2023-47070 – Arbitrary code execution
• [Critical] – CVE-2023-47073 – Arbitrary code execution

Recommendation

It is recommended to update all the affected products to its latest available patch version.

Microsoft Released November 2023 Patch Tuesday for 58 Flaws Including 5 Zero-Days

Threat Reference: Global

Risks: Updates/Patches

Advisory Type: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.

Priority: Standard

Microsoft has released its Patch Tuesday for November 2023 with security updates for 58 flaws, including 5 actively exploited vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.

Affected Microsoft Products include Windows, ESU, Microsoft Dynamics, Exchange Server, Microsoft Office, Azure, Developer Tools, SQL Server.

Notable CVE IDs:

• [Critical] – CVE-2023-36028 – Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
• [Critical] – CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
• [Critical] – CVE-2023-36400 – Windows HMAC Key Derivation Elevation of Privilege Vulnerability
• [Critical]- CVE-2023-36052 – Azure CLI REST Command Information Disclosure Vulnerability
• [Zero-Day] – [Important] – CVE-2023-36036 – Windows cloud files mini filter elevation of privileges vulnerability
• [Zero-Day] – [Important] – CVE-2023-36033 – Windows DWM core library elevation of privilege vulnerability.
• [Zero-Day] – [Important] – CVE-2023-36025 – Windows smart screen security feature bypass vulnerability.
• [Zero-Day] – [Important] – CVE-2023-36413 – Microsoft office security feature bypass vulnerability.
• [Zero-Day] – [Important] – CVE-2023-36038 – ASP.NET Core Denial of Service vulnerability.
• [Important] – CVE-2023-36017 – Windows Scripting Engine Memory Corruption Vulnerability
• [Important] – CVE-2023-36402 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
• [Important] – CVE-2023-36437 – Azure DevOps Server Remote Code Execution Vulnerability
• [Important] – CVE-2023-36560 – ASP.NET Security Feature Bypass Vulnerability
• [Important] – CVE-2023-38151 – Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability
• [Important]- CVE-2023-36719 – Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36021 – Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability
• [Important] – CVE-2023-36035 – Microsoft Exchange Server Spoofing Vulnerability
• [Important] – CVE-2023-36039 – Microsoft Exchange Server Spoofing Vulnerability
• [Important] – CVE-2023-36050 – Microsoft Exchange Server Spoofing Vulnerability
• [Important] – CVE-2023-36425 – Windows Distributed File System (DFS) Remote Code Execution Vulnerability
• [Important] – CVE-2023-36439 – Windows User Interface Application Core Remote Code Execution Vulnerability
• [Important] – CVE-2023-36018 – Visual Studio Code Jupyter Extension Spoofing Vulnerability
• [Important] – CVE-2023-36037 – Microsoft Excel Security Feature Bypass Vulnerability
• [Important] – CVE-2023-36041 – Microsoft Excel Remote Code Execution Vulnerability
• [Important] – CVE-2023-36045 – Microsoft Office Graphics Remote Code Execution Vulnerability
• [Important] – CVE-2023-36047 – Windows Authentication Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36393 – Windows User Interface Application Core Remote Code Execution Vulnerability
• [Important] – CVE-2023-36396 – Windows Compressed Folder Remote Code Execution Vulnerability
• [Important] – CVE-2023-36407 – Windows Hyper-V Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36408 – Windows Hyper-V Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36422 – Microsoft Windows Defender Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36424 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36705 – Windows Installer Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36007 – Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability
• [Important] – CVE-2023-36031 – Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
• [Important] – CVE-2023-36049 – .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36410 – Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
• [Important] – CVE-2023-36392 – DHCP Server Service Denial of Service Vulnerability
• [Important] – CVE-2023-36395 – Windows Deployment Services Denial of Service Vulnerability
• [Important] – CVE-2023-36401 – Microsoft Remote Registry Service Remote Code Execution Vulnerability
• [Important] – CVE-2023-36423 – Microsoft Remote Registry Service Remote Code Execution Vulnerability
• [Important] – CVE-2023-36024 – Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36027 – Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36046 – Windows Authentication Denial of Service Vulnerability
• [Important] – CVE-2023-36399 – Windows Storage Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36394 – Windows Search Service Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36403 – Windows Kernel Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36405 – Windows Kernel Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36427 – Windows Hyper-V Elevation of Privilege Vulnerability
• [Important] – CVE-2023-36043 – Open Management Infrastructure Information Disclosure Vulnerability
• [Important] – CVE-2023-36398 – Windows NTFS Information Disclosure Vulnerability
• [Important] – CVE-2023-36016 – Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
• [Important] – CVE-2023-36042 – Visual Studio Denial of Service Vulnerability
• [Important] – CVE-2023-36558 – ASP.NET Core – Security Feature Bypass Vulnerability
• [Important] – CVE-2023-36030 – Microsoft Dynamics 365 Sales Spoofing Vulnerability
• [Important] – CVE-2023-38177 – Microsoft SharePoint Server Remote Code Execution Vulnerability
• [Important] – CVE-2023-36404 – Windows Kernel Information Disclosure Vulnerability
• [Important] – CVE-2023-36406 – Windows Hyper-V Information Disclosure Vulnerability
• [Important] – CVE-2023-36428 – Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability
• [Moderate] – CVE-2023-36029 – Microsoft Edge (Chromium-based) Spoofing Vulnerability
• [Moderate] – CVE-2023-36022 – Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
• [Moderate] – CVE-2023-36014 – Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
• [Moderate] – CVE-2023-36034 – Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Recommendation

It is recommended to update all the affected products to the latest available patch version. Reference URL to Microsoft, here.

Rhysida Ransomware Observed Targeting Multiple Sectors

Threat Reference: Global

Risks: Threats

Advisory Type: Ransomware, Elevation of Privilege, Data Exfiltration

Priority: Standard

Security researchers observed Rhysida Ransomware targeting Education, Healthcare, Manufacturing, Information Technology and Government sectors. Rhysida exploited Zerologon (CVE-2020-1472), this being a critical privilege elevation vulnerability in Microsoft’s Netlogon Remote Protocol.

Attack Scenario

• Initial Access – By authenticating internal VPN access points Rhysida gained access and compromised valid credentials.

• Lateral Movement Tools – To facilitate lateral movement, widely available tools used like cmd[.]exe, PowerShell[.]exe, PsExec[.]exe, PuTTY[.]exe and mstsc[.]exe

• Lateral Movement – Rhysida used Remote Desktop Protocol (RDP) connections for lateral movement, to establish VPN access and utilize PowerShell.

• Execution – Rhysida created two folders ‘in’ and ‘out’ in the C:\ drive, functioning as a staging directory for hosting malicious executables.

• Data Exfiltration – Lastly, exfiltration of data through compromised credentials by using PuTTY to remotely connect to victim system via SSH.

Indicators of compromise (IOCs)

IP Addresses:

• 5.39.222[.]67
• 5.255.99[.]59
• 51.77.102[.]106
• 108.62.118[.]136
• 108.62.141[.]161
• 146.70.104[.]249
• 156.96.62[.]58
• 157.154.194[.]6

Recommendation

• Update and patch systems: Ensure all software and applications are up to date with the latest security patches to minimize vulnerabilities.

• Segment Networks: By dividing the computer network into smaller more isolated segments or subnetworks to limit or block lateral movement.

• Deploy EDR: Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.

• Use multi-factor authentication (MFA): Enforce MFA for critical accounts and sensitive data to add an extra layer of security.

TA042 Targeting Middle Eastern Government Entities Using IronWind Infection Chains

Threat Reference: Global

Risks: Threats

Advisory Type: Phishing, Remote Access, Command and Control, Malware

Priority: Standard

Security researchers observed TA042 engage in phishing campaigns to target Middle Eastern governments through three infection chains—Dropbox links, XLL file attachments, and RAR file attachments.

Tactics Techniques and Procedures (TTPs)

1. Phishing emails are sent by actors using compromised Ministry of Foreign Affairs accounts with the lure “Report and Recommendations of the 110th Session on the War on Gaza.”

2. Upon Interaction triggers, a sequence includes the possibility of either Dropbox links or file attachments.

3. As a results, it downloads a DLL containing the multifunctional IronWind malware.

4. Once victims open a Dropbox link or attachment, IronWind is deployed through a malicious PPAM file.

5. Subsequent stages of the attack include sideloading IronWind with timeout.exe, establishing communication with the TA042 C2 domain theconomics[.]net, and executing shellcode.

6. The shellcode serves as a versatile loader for downloading a .NET post-exploitation library in C#.

According to security researchers TA042 continues to be a persistent and innovative threat actor, consistently adapting its attack methods and malware to further its cyber espionage objectives.

Indicators of compromise (IOCs)

IP Addresses: 191.101.78[.]189

Domains/URLs:

• theconomics[.]net
• inclusive-economy[.]com
• healthcaption[.]com

Recommendations

• Update and patch systems: Ensure all software and applications are up to date with the latest security patches to minimize vulnerabilities.

• Segment Networks: By dividing the computer network into smaller more isolated segments or subnetworks to limit or block lateral movement.

• Deploy EDR: Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.

• Use multi-factor authentication (MFA): Enforce MFA for critical accounts and sensitive data to add an extra layer of security.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.