Cyber Security Briefing, 12 – 16 June
Microsoft has fixed more than 70 vulnerabilities in its June Patch Tuesday
Microsoft has released its June Patch Tuesday, addressing a number of critical, high, medium and low severity vulnerabilities. Three of the critical vulnerabilities, CVE-2023-29363 , CVE-2023-32014 and CVE-2023-32015, with CVSS 9.8, are in the Windows Pragmatic General Multicast server environment and can lead to remote code execution by sending a specially crafted file over the network.
On the other hand, flaw CVE-2023-29357, also with CVSS 9.8, would allow privilege escalation in Microsoft SharePoint Server. Exploitation of this vulnerability does not require user interaction and Microsoft advises to apply updates and enable the AMSI function.
Another vulnerability that allows remote code execution is CVE-2023-28310, with CVSS 8.0, in Microsoft Exchange Server. On the other hand, CVE-2023-29358, allows privilege escalation in the Windows GUI to SYSTEM, as does CVE-2023-29361. As for the flaw in Microsoft Exchange, with CVE-2023-32031 and CVSS 8.8, it allows an attacker to target server accounts in an arbitrary code execution.
Finally, the flaw CVE-2023-29371, in the Windows Win32k kernel driver, could lead to an out-of-bounds write, granting SYSTEM privileges and the one identified as CVE-2023-29352, not as serious, refers to a security feature omission in Windows Remote Desktop.
Third security flaw discovered in MOVEit Transfer application
Progress Software recently reported a third critical vulnerability in its MOVEit Transfer application. The new vulnerability, still without a CVE identifier, is a SQL injection that can allow privilege escalation and unauthorised access. A patch addressing this new critical security flaw is not yet available; the company stated that one is currently being tested and will be released soon.
Progress also strongly advised users to modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 as a temporary protective measure. This disclosure comes a week after another set of SQL injection vulnerabilities were reported that could be used to access the application’s database. And they come on top of CVE-2023-34362, which was exploited by the Clop ransomware gang in data theft attacks whose actors continue to extort money from affected companies.
An analysis by Censys revealed that nearly 31 per cent of the more than 1,400 exposed hosts running MOVEit are in the financial services industry, 16 per cent in healthcare, nine per cent in information technology and eight per cent in government and military sectors.
AiTM campaign against companies in the financial sector
Microsoft Defender researchers have uncovered the existence of a Business Email Compromise (BEC) campaign that uses the AiTM (adversary in the middle) technique against large companies in the financial sector.
In AiTM phishing, threat actors set up a proxy server between a targeted user and the website the user wants to visit, which is the phishing site under the control of the attackers. The proxy server allows the attackers to access the traffic and capture the target’s password and session cookie.
According to Microsoft, the attack started with the compromise of a reputable company’s email account, using that email address to distribute the phishing AiTM and thus steal the credentials of its contacts, who would have accessed the URL given the trust relationship with the supposed sender (impersonated by the attacker) of the email. Microsoft attributes this campaign to a threat actor it has named Storm-1167 (in Microsoft’s taxonomy, the name Storm indicates that the origin of the criminal group is unknown).
DoubleFinger distributes both Remcos RAT and GreetingGhoul stealer
SecureList has published a report on a new loader called DoubleFinger, which is notable for its use of shorthand techniques as a way to hide payloads.
This malware runs a shellcode on the infected machine that downloads a PNG file from the image-sharing platform Imgur.com, but it is not actually an image: the file contains several components in encrypted form: GreetingGhoul, a stealer targeting cryptocurrency wallets, on the one hand, and the remote access Trojan Remcos, on the other.
SecureList claims to have seen DoubleFinger, which is distributed via email phishing, attacking entities in Europe, the United States and Latin America.
Powerful BatCloak engine used to make malware completely undetectable
Trendmicro has published an analysis of the BatCloak malware obfuscation engine, its modular integration into modern malware, proliferation mechanisms, and implications for interoperability as threat actors take advantage of its fully undetectable capabilities.
As a result, threat actors can seamlessly load multiple malware families and exploits leveraging highly obfuscated batch files. Research results showed that a staggering 80% of the recovered samples were not detected by security solutions.
This finding underlines BatCloak’s ability to bypass traditional detection mechanisms employed by security vendors. Furthermore, when considering the total set of 784 samples, the average detection rate was less than one, highlighting the challenge of identifying and mitigating threats associated with BatCloak-protected pieces of malware.