Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 4-11 August
Microsoft Patch Tuesday August fixes two actively exploited vulnerabilities
Microsoft has fixed 74 vulnerabilities in its Patch Tuesday for the month of August, including two 0-day vulnerabilities, which have been actively exploited, and six critical flaws. Specifically, the security flaws that have been exploited have been identified as ADV230003, and refer to a security flaw already known as CVE-2023-36884, CVSSv3 of 8.8, whose exploitation allows remote code execution in Office and Windows HTML. On the other hand, the flaw identified as CVE-2023-38180 which, if exploited, can cause a DDoS attack on .NET and Visual Studio applications. It should be noted that Microsoft has acknowledged that a PoC for the latter vulnerability would be available. Finally, it should be noted that these updates do not include the twelve vulnerabilities in Microsoft Edge (Chromium) that were fixed earlier this month.
More info: https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug
Downfall: the new vulnerability in Intel microprocessors
A Google researcher, Daniel Moghimi, has discovered how to exploit a new vulnerability, tracked as CVE-2022-40982 or Downfall, that affects Intel processors from Intel Skylake to Ice Lake architectures and allows the theft of sensitive information protected by software Guard eXtensions (SGX), Intel's hardware-based memory encryption. Moghimi developed two downfall attack techniques that employ the gather instruction: Gather Data Sampling (GDS) and Gather Value Injection (GVI); both require the attacker to be on the same physical processor as the victim, although a local program or malware could also exploit the vulnerability. While the details of the flaw were kept private for a year in order to find solutions, the hardware redesign that would eliminate the risk of Downfall attacks has not been carried out, although software-based solutions have been proposed by the researcher.
Analysis of the RedHotel threat actor
The team of researchers at Recorded Future has published the results of a research study analysing a threat actor attributed to China and named RedHotel. According to the experts, this threat actor is attributed with attacks against 17 countries between 2021 and 2023, although its origin could date back to 2019. RedHotel's targets include academic institutions, aerospace and communication services, although most of them would be governmental organisations. Regarding its objectives, this threat actor stands out for its intelligence gathering, as well as its focus on economic espionage. As for its methodology of action, it is known for exploiting the Log4Shell security flaw, using tools such as Cobalt Strike and Brute Ratel C4 (BRc4) and malware families such as FunnySwitch, ShadowPad, Spyder and Winnti. It also focuses on initial reconnaissance and long-term network access through command and control servers, which are commonly NameCheap-registered domains.
More info: https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf
Infected PDFs used to distribute updated STRRAT malware
Security researchers at Cyble Research and Intelligence Labs (CRIL) have identified that the Java-based RAT called STRRAT, which was capable of keylogging and stealing credentials in browsers and email clients, has evolved dramatically and now has new distribution methods. Now, the updated version incorporates the Crimson ransomware module and deploys a multitude of infection chains. The entry vector used is via a malicious email, which upon opening the attached PDF prompts the download of a ZIP file containing the malicious JavaScript. To maintain persistence, the RAT creates an entry in the task scheduler with the name Skype. In addition to this, STRRAT version 1.6 employs two string obfuscation techniques: Zelix KlassMaster (ZKM) and Allatori, which make it difficult for security researchers to analyze and detect the malware.
More info: https://cyble.com/blog/strrats-latest-version-incorporates-dual-obfuscation-layers/
Statc Stealer: new malware masquerading as legitimate Google ads
The Zscaler ThreatLabz team has discovered a new sophisticated malware called Statc Stealer, which infects Windows devices by initially masquerading as a legitimate Google ad. This new stealer is capable of exfiltrating sensitive information such as credit cards, credentials and cryptocurrency wallets through the most commonly used browsers on Windows, including Chrome, Edge, Firefox and Opera. In addition, Statc Stealer is programmed in C++, can make use of evasion techniques that avoid detection by thwarting reverse engineering attempts, and makes use of the HTTPS protocol to send encrypted stolen data to its command and control server. Zscaler warns that infection with this stealer in organisations and businesses can pose a number of risks, including financial loss and reputational damage.
More info here: https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
