Security News Digest | Security Newsletter | June 16, 2023

We’ve gathered dark web insights, cyber security news, vulnerabilities, and CVEs, ransomware for you. Enjoy!

A Short-Look at The Dark Web

 

Here are the insights & security news from the dark web. Learn and protect yourself before threats reach you. If you want to get more insight, follow us on Twitter and Subscribe to our Ransomware Newsletter!

  • AnonymousSudan claims to have launched a DDoS attack affecting 15,000 Microsoft users in the U.S.  The outage lasted for 1.5 hours. They warn of more to come! More about AnonymousSudan is on this thread.

  • On the dark web, a threat actor offers a malicious method that takes advantage of a vulnerability in PostgreSQL. This could be a 0-day threat. Therefore, remain watchful and cautious of what you click on!

Important Security News

What happened in cyberspace in the last two weeks? Here is a quick shot of security news from the world.

 

Microsoft Patch Tuesday: June 2023

 

Microsoft Patch Tuesday, the company’s monthly security update, has provided fixes for 70 vulnerabilities, 62 classified as important, six as critical, one as moderate, and one as low.

These fixes encompass various software, including Microsoft Office, Microsoft SharePoint, and Windows operating system components. Critical vulnerabilities addressed include CVE-2023-29357 in SharePoint Server 2019 and CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015 in the Windows operating system’s implementation of Pragmatic General Multicast (PGM).

CVE-2023-29357: The Elevation of Privilege vulnerability in Microsoft SharePoint Server 2019 has a CVSSv3 severity score of 9.8 and is labeled critical. An unauthenticated, remote attacker can exploit this vulnerability by sending a spoofed JWT authentication token to the target server, thereby assuming the privileges of an authenticated user on that system.

CVE-2023—29363 / 32014 / 32015: These are Remote Code Execution (RCE) vulnerabilities in Windows Pragmatic General Multicast (PGM) that were assigned a critical severity rating of 9.8. An attacker who successfully exploits these vulnerabilities could execute arbitrary code on the target system with SYSTEM privileges.

Notably, the Elevation of Privilege (EoP) vulnerability CVE-2023-29357 in SharePoint Server 2019 is reported as having been used in a successful chained attack demonstration during the March Pwn2Own Vancouver contest. This vulnerability allows an unauthenticated, remote attacker to gain the privileges of an authenticated user by sending a spoofed JWT authentication token.

Microsoft recommends that users enable AMSI as mitigation, though the efficacy of this action remains untested.

Similarly, the Remote Code Execution (RCE) vulnerabilities in the Windows operating system’s PGM, CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015, could allow an attacker to execute code remotely by sending a malicious file to a vulnerable system. These vulnerabilities are only exploitable on systems with message queueing services enabled.

Another set of vulnerabilities, CVE-2023-28310 and CVE-2023-32031, are RCEs in various Microsoft Exchange Server versions, allowing an authenticated attacker to execute arbitrary code or commands remotely. The affected versions are Microsoft Exchange Server 2016 Cumulative Update 23 and 2019 Cumulative Updates 12 and 13.

Another set of vulnerabilities, CVE-2023-28310 and CVE-2023-32031, are RCEs in various Microsoft Exchange Server versions, allowing an authenticated attacker to execute arbitrary code or commands remotely. The affected versions are Microsoft Exchange Server 2016 Cumulative Update 23 and 2019 Cumulative Updates 12 and 13.

Also, CVE-2023-29362 is an RCE vulnerability in the Remote Desktop Client component of Windows operating systems and the Remote Desktop Client for Windows Desktop applications, which can be exploited by a remote attacker with control over a Remote Desktop Server.

Microsoft urges all users to promptly apply the updates provided in the Patch Tuesday release to ensure their systems are protected against these vulnerabilities. As always, keeping software updated with the latest security patches is one of the best practices for maintaining a secure and resilient system.

 

Updates ASAP

 

In March 2023, Microsoft Patch Tuesday updates, Microsoft has released 2 zero-days. After that, BRANDEFENSE Analysts’ investigation, threat actors posted about CVE-2023-24880 on a dark web forum. In the forum post, threat actors said that not all Windows systems had been updated yet, so they could continue to share the PoC. [Read More]

Threat actors always wait for your mistakes. Do not forget your updates.


MOVEit Transfer Software Exploited Through Critical Zero Day Vulnerability 2023

 

Ipswitch, a subsidiary of Progress Software Corporation, has been hit by a major cybersecurity vulnerability exploited by unknown hackers to attack its MOVEit Transfer software. The software is a popular application for businesses and customers to transfer data securely. Identified as CVE-2023-34362 – a zero-day vulnerability – Progress Software Corporation has issued a critical security advisory warning its customers to take precautionary measures immediately.

The software developer advises all its customers to restrict access to external traffic to ports 80 and 443 on MOVEit Transfer servers until patches have been installed. While Progress notes that the recommendation is necessary, it also concedes that it will affect the operations of certain applications such as MOVEit Automation tasks, API functions, and the plugin functionality of the Outlook MOVEit Transfer.

Vulnerable to SQL injection that leads to remote code execution, cybersecurity company, Rapid7, has identified the zero-day flaw in the software. With approximately 2,500 exposed servers, primarily in the United States, Rapid7 notes a common feature of all exploited devices is the ‘human2.asp’ webshell, which can execute a series of commands if accessed with the correct password. Scarily, these commands enable the attacker to retrieve vast amounts of data from the server, such as lists of stored files, user details, and Azure Blob Storage account configurations.

Reportedly several admins have reported discovering multiple unexpected files post-breach. What is worrying is that the breach likely began over the long Memorial Day weekend in the United States when system monitoring is often at its minimum.

With a potential for data theft and exposure, cybersecurity experts are warning organizations to shut down their MOVEit Transfers until the issue is resolved and a comprehensive investigation for compromise has been conducted.

Charles Carmakal, CTO of Mandiant, strongly suggests that all organizations using MOVEit Transfer should acquire a forensic examination to ascertain whether their system was compromised and if data was stolen. Furthermore, Progress Software has confirmed that its cloud platform was impacted, potentially broadening the scope of victims. The company has released mitigation steps for on-premise and cloud-based systems, and experts recommend organizations follow them.

Microsoft has attributed the attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations and running the infamous Clop extortion site. The software giant has also published articles with IOCs, detections, and hunting guidance and will continue to monitor the situation with stakeholders.

 

Second MFT 0-Day in Six Months: Cl0p Ransomware Gangs Announced They Exploit Over 130 Organizations

 

The zero day vulnerability in the GoAnywhere file-sharing software is tracked with the code CVE-2023-0669 and was first discovered on February 3, 2023. On February 6, 2023, an exploit code was released for this vulnerability, and by February 10, 2023, Cl0p operators had announced that they had used the exploit to attack 130 organizations… [Read More]


“Triangulation Trojan” Launches Sophisticated Attack on Apple Devices

 

Security experts have uncovered an advanced, targeted cyberattack that leverages Apple’s mobile devices. The attack, named “Triangulation,” is aimed at planting covert spyware into the iPhones of employees of certain companies, including middle and top management personnel.

The cyberattack employs an invisible iMessage carrying a malicious attachment. Utilizing multiple vulnerabilities within the iOS operating system, the attachment is executed on the device, stealthily installing the spyware. This occurs without the need for user action. Once in place, the spyware discreetly relays sensitive data back to remote servers, including microphone recordings, instant messenger photos, geolocation, and other user activity data.

The proprietary nature of iOS makes the detection and removal of this spyware particularly challenging, requiring the use of external tools. A vital sign of the Triangulation presence is disabling iOS updates on the infected device. Additionally, a device backup should be made and checked using a unique utility for a more definitive infection confirmation. Kaspersky is also in the process of developing a free detection tool.

Unfortunately, due to the specific way the spyware blocks iOS updates, there is currently no effective method to remove the Triangulation without losing user data. The only recourse is to reset the infected iPhones to factory settings and install the latest version of the operating system and the entire user environment anew. This is crucial as the spyware can re-infect through vulnerabilities present in an outdated iOS version.

The attack’s sophisticated nature is such that it remained largely undetected until anomalies within the network originating from Apple devices were picked up by Kaspersky’s Unified Monitoring and Analysis Platform (KUMA), a native Security Information and Event Management (SIEM) solution. Subsequent investigations revealed that several dozen iPhones belonging to senior employees were infected with the spyware.

Kaspersky is still investigating this incident, with more information to be shared in a dedicated post on Securelist. They anticipate further details on the global proliferation of this spyware will emerge in the coming days. Despite being targeted in this attack, Kaspersky stresses they were not the primary objective and assures their business processes and user data remain unaffected.

 

C2 Domains For Triangulation Trojan Attack

 

The source is SecurceList.

addatamarket[.]net

backuprabbit[.]com

businessvideonews[.]com

cloudsponcer[.]com

datamarketplace[.]net

mobilegamerstats[.]com

snoweeanalytics[.]com

tagclick-cdn[.]com

topographyupdates[.]com

unlimitedteacup[.]com

virtuallaughing[.]com

web-trackers[.]com

growthtransport[.]com

anstv[.]net

ans7tv[.]net

Share This: