September Threat Advisory – Top 5

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of September 2023.

New Python Variant of Chae$ Malware Targets Banking and Logistics Industries

Threat Reference: Global

Risks: Malware/ Data Exfiltration

Advisory Type: Threats

Priority: Standard

Security Researchers have observed new Python variant of Chae$ 4 malware targeting banking and Logistics Industries. Threat Actors are using Chae$ 4 to collect and exfiltrate sensitive information from victims.

Attack Scenario:

Indicators of compromise (IOCs), IP Addresses:

Recommendations

It is recommended to take the following security measures:

1. Implement advanced email filtering and security measures to prevent phishing emails and malicious attachments from reaching your employees’ inboxes.
2. Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.
3. Deploy comprehensive security solutions that allow real-time monitoring of network activity for any signs of suspicious behaviour.
4. Raise awareness among your staff about the potential risks associated with opening suspicious emails or documents in general.

Fortinet Fix High Severity Vulnerability Impacting Multiple Fortinet Products

Threat Reference: Global

Risks: Cross-site Scripting (XSS)

Advisory Type: Updates/Patches

Priority: Standard

Fortinet has released a patch to fix high severity vulnerability (CVE-2023-29183) – (CVSSv3:7.3).

The exploitation of this vulnerability may allow an authenticated attacker to trigger JavaScript code execution, which then may lead to Cross-site Scripting (XSS) affecting multiple Fortinet products.

Affected Products include FortiProxy version 7.2.0 through 7.2.4, FortiProxy version 7.0.0 through 7.0.10, FortiOS version 7.2.0 through 7.2.4, FortiOS version 7.0.0 through 7.0.11, FortiOS version 6.4.0 through 6.4.12, and FortiOS version 6.2.0 through 6.2.14.

Recommendation: It is recommended to update affected products to their latest available patch version.

Google Fix Critical Vulnerability (CVE-2023-4863) in Chrome, Exploited in the Wild

Threat Reference: Global

Risks: Heap Buffer Overflow

Advisory Type: Updates/Patches

Priority: Elevated

Google has released a patch “116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows” to fix a Critical Heap buffer overflow vulnerability “CVE-2023-4863” in WebP.

Researchers have confirmed that an exploit of this vulnerability exists in the wild.

Recommendation: It is recommended to update Google Chrome to its latest available patch version.

Mozilla Patched Critical Zero-day vulnerability in Firefox and Thunderbird

Threat Reference: Global

Risks: Arbitrary Code Execution, Heap Buffer Overflow

Advisory Type: Threats

Priority: Elevated

Mozilla has released a patch to fix a critical zero-day (CVE-2023-4863) vulnerability in Firefox and Thunderbird. Successful exploitation of this vulnerability may lead to Arbitrary Code and Heap Buffer Overflow.

Notable CVEs:

[Critical] – CVE-2023-4863 Heap buffer overflow in WebP image format that could result in arbitrary code execution when processing a specially crafted image.

Affected products include Firefox, Firefox ESR, and Thunderbird.

Recommendation: It is recommended to update the affected products to their latest available versions/patch level.

Microsoft Release September 2023 Patch Tuesday for 59 Flaws Including 2 Zero-days

Threat Reference: Global

Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Denial of Service and Spoofing

Advisory Type: Updates/Patches

Priority: Standard

Microsoft have released Patch Tuesday for September 2023 with security updates for 59 flaws, including 2 actively exploited vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Denial of Service and Spoofing.

Affected Products include Windows 10, Windows 11, Windows Server 2008, 2012, 2012 R2, 2016, 2019 and 2022, Microsoft Visual Studio 2022, 2019 and 2017, Microsoft 365 Apps for Enterprise, Microsoft Office 2013, 2016, and 2019, Microsoft Office LTSC 2021, Microsoft Word 2013 and 2016, Microsoft Excel 2013 and 2016, 3D Builder, Microsoft Exchange Server, and Microsoft SharePoint.

Notable CVE ID and details:

• [Zero-Day] – [High] – CVE-2023-36802: [CVSS – 7.8] – Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability.
• [Zero-Day] – [Medium] – CVE-2023-36761: [CVSS – 6.2] – Microsoft Word Information Disclosure Vulnerability.
• [High] – CVE-2023-38148: [CVSS – 8.8] – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability.
• [High] – CVE-2023-33136: [CVSS – 8.8] – Azure DevOps Server Remote Code Execution Vulnerability.
• [High] – CVE-2023-36764: [CVSS – 8.8] – Microsoft SharePoint Server Elevation of Privilege Vulnerability.
• [High] – CVE-2023-38146 [CVSS – 8.8] – Windows Themes Remote Code Execution Vulnerability.
• [High] – CVE-2023-38147 [CVSS – 8.8] – Windows Miracast Wireless Display Remote Code Execution Vulnerability.
• [High] – CVE-2023-36757 [CVSS – 8] – Microsoft Exchange Server Spoofing Vulnerability.
• [High] – CVE-2023-36744: [CVSS – 8] – Microsoft Exchange Server Remote Code Execution Vulnerability.
• [High] – CVE-2023-36745: [CVSS – 8] – Microsoft Exchange Server Remote Code Execution Vulnerability.
• [High] – CVE-2023-36756: [CVSS – 8] – Microsoft Exchange Server Remote Code Execution Vulnerability.
• [High] – CVE-2023-35355 [CVSS – 7.8] – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability.
• [High] – CVE-2023-36742 [CVSS – 7.8] – Visual Studio Code Remote Code Execution Vulnerability.
• [High] – CVE-2023-36758 [CVSS – 7.8] – Visual Studio Elevation of Privilege Vulnerability.
• [High] – CVE-2023-36760 [CVSS – 7.8] – 3D Viewer Remote Code Execution Vulnerability.
• [High] – CVE-2023-36765 [CVSS – 7.8] – Microsoft Office Elevation of Privilege Vulnerability.
• [High] – CVE-2023-36766 [CVSS – 7.8] – Microsoft Excel Information Disclosure Vulnerability.
• [High] – CVE-2023-36770 [CVSS – 7.8] – 3D Builder Remote Code Execution Vulnerability.
• [High] – CVE-2023-36771 [CVSS – 7.8] – 3D Builder Remote Code Execution Vulnerability.
• [High] – CVE-2023-36772 [CVSS – 7.8] – 3D Builder Remote Code Execution Vulnerability.
• [High] – CVE-2023-36804: [CVSS – 7.8] – Windows GDI Elevation of Privilege Vulnerability.
• [High] – CVE-2023-38142: [CVSS – 7.8] – Windows Kernel Elevation of Privilege Vulnerability.
• [High] – CVE-2023-38143: [CVSS – 7.8] – Windows Common Log File System Driver Elevation of Privilege Vulnerability.
• [High] – CVE-2023-38144: [CVSS – 7.8] – Windows Common Log File System Driver Elevation of Privilege Vulnerability.
• [High] – CVE-2023-38161: [CVSS – 7.8] – Windows GDI Elevation of Privilege Vulnerability.

Recommendation: It is recommended to keep applications and operating systems running at the current released patch level and to run software with the least privileges.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat

Intelligence. Our team is focused on researching emerging threats, tracking activities of threat

actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks.

Beyond their investigative work, the Intelligence team provides actionable threat intelligence and

research, enriching the understanding of SecurityHQ’s customers worldwide. United by a

common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to

confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.