Cyber Security Briefing, 9 - 15 September

September 15, 2023

Microsoft patches multiple vulnerabilities including two 0-days

Microsoft released a security update detailing a total of fifty-nine vulnerabilities to be patched, including five critical severity and two actively exploited 0-days. Of the two 0-days, CVE-2023-36802 (CVSS 7.8) affects Microsoft Streaming Service and would allow an attacker to perform privilege escalation, while CVE-2023-36761 (CVSS 6.2) affects Microsoft Word and can be exploited by an attacker to steal NTLM hashes when opening a document.

On the other hand, the critical vulnerabilities included in the update affect .NET and Visual Studio (CVE-2023-36796, CVE-2023-36792, CVE-2023-36793), Azure Kubernetes Service (CVE-2023-29332) and Windows Internet Connection Sharing (CVE-2023-38148).

In addition to the fifty-nine vulnerabilities already mentioned, the update includes five other Microsoft Edge (Chromium) flaws and two flaws from Electron and Autodesk.

More info

SAP patches two critical vulnerabilities at September Security Patch Day

SAP announced the release of thirteen new security patches at its September Security Patch Day, three of which are updates to previously released patches.

The most severe vulnerability patched in this release is CVE-2023-40622 (CVSS 9.9), which allows attackers to access BusinessObjects information and in turn allows future attacks to compromise the entire application.

SAP also says it has patched another critical vulnerability, CVE-2023-40309 (CVSS 9.8), which affects CommonCryptoLib and is an authorisation check flaw and can result in privilege escalation. The patches that address CVE-2023-40309 also address another vulnerability mentioned in this Security Patch Day, namely CVE-2023-40308 (CVSS 7.5), a memory corruption bug in CommonCryptoLib.

Finally, most of the other security notes patch vulnerabilities of medium or low severity.

More info

Public exploit for the RCE ThemeBleed flaw in Windows 11

Researcher Gabe Kirkpatrick published a PoC for a Windows vulnerability discovered in a bug bounty. The flaw, identified as CVE-2023-38146, with CVSS 8.8, is a vulnerability that allows remote code execution, which can be exploited if the user opens a malicious .THEME file, created by the attacker.

The researcher detected the flaw by looking for strange Windows file formats, when he discovered that when using a version number 999, the routine to control the .MSSTYLES file has a discrepancy between the time when the signature of a DLL is verified and the time when the library is loaded.

An attacker, with a specially crafted .MSSTYLES, can replace a verified DLL with a malicious one and execute arbitrary code on the victim system. Kirkpatrick managed to open the Windows Calculator when the user starts a theme file with the PoC.

Microsoft has fixed the bug in the Patch Tuesday issued this week, removing the functionality from version 999, although the condition persists.

More info

3AM: new ransomware used as an alternative to LockBit

Symantec's Threat Hunter Team published an analysis of a new ransomware family, 3AM, which has been used in conjunction with LockBit ransomware in a single attack.

As LockBit was blocked by the targeted network, the attackers used 3AM in the incident, successfully infecting three computers. This new ransomware, written in Rust, attempts to stop various services on the infected device before encrypting the files, and once encryption is complete it attempts to delete Volume Shadow Copies (VSS).

In their ransom note, the attackers state that they will not leak the data they have obtained, but if the ransom is not paid, they will sell the data on the Dark Web. Symantec points out that 3AM is a completely new ransomware family and that its authors have not been associated with any cybercriminal organisation.

Having been used as an alternative to LockBit, it is likely that this new malware will become more popular in the future and therefore start to be used more by other threat actors

More info

Colombia activates the Cyber Unified Command Post (PMU Ciber) for the attack on IFX Networks

Mauricio Lizcano, minister of the Colombian Ministry of Information Technology and Communications, announced on his official Twitter account that the government has activated the Cyber Unified Command Post (PMU Ciber) to try to mitigate the effects of the cyber attack suffered by telecommunications provider IFX Networks. Lizcano also announced that a total of 762 organisations have been affected, located not only in Colombia but also in Argentina and Chile.

More info

Hypocrisy doublespeak in ransomware gangs
Cyber Security
Hypocrisy doublespeak in ransomware gangs
July 14, 2022

Imagen de apertura: kjpargeter / Freepik.