Monthly Advisory • 10 MIN READ
Top 5 August Threat Advisory
by Leonardo Maroso • Aug 2023
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of August 2023.
Table of contents
- Microsoft Cross-Tenant Synchronization (CRS) Abuse in Azure Environments
- Microsoft Addressed Zero-Day Vulnerability in August 2023 Patch Tuesday Update.
- Threat Actor Known as “APT29” Targeting NATO Organizations Through Espionage Campaigns
- Google Fixed Multiple High and Medium Severity Vulnerabilities in Google Chrome and ChromeOS.
- Microsoft Released Patches for 87 Flaws, Including 2 zero-days and 23 Remote Code Execution Vulnerabilities
Microsoft Cross-Tenant Synchronization (CRS) Abuse in Azure Environments
Threat Reference: Global
Risks: Backdoor/Malware
Advisory Type: Threats
Priority: Standard
A new attack vector has been unveiled, which maintains persistent access in an Azure tenant by abusing Microsoft’s Cross-Tenant Synchronization (CRS). The attack, however, needs specific licenses and a compromise of privileged accounts or privilege escalation to certain roles within the compromised tenant.
Attack Scenario One:
- Attacker with compromised privileged account enables CRS with Hybrid Administrator Role on Victim Tenant.
- Attacker conducts reconnaissance to identify target tenants connected through Cross-Tenant Access (CTA) policies and to find tenant with ‘Outbound Sync’ enabled.
- Outbound Sync allows synchronization of users and groups with Attacker tenant for lateral movement.
- Once the CTS (Cross-Tenant Synchronization) sync application is identified, the attacker modifies its configuration to include the currently compromised user account in the application sync scope.
- Syncing the compromised user account into the target tenant, the attacker gains access to the target tenant using the initially compromised credentials.
Attack Scenario Two:
- Attacker with compromised privileged account enables CRS with Hybrid Administrator Role on Victim Tenant.
- Attacker deploys a new Cross Tenant Access (CTA) Policy in the victim tenant with Source tenant set as the attacker-controlled external tenant and Enabled ‘Inbound Sync’ and Enabled ‘Automatic User Consent’ for inbound user sync.
- Configuring Cross-Tenant Synchronization (CTS) on external tenant allows attacker to sync new users from its tenant to the target victim tenant.
SecurityHQ SOC has deployed capabilities to detect this technique.
Recommendation
It is recommended to audit and monitor for any of the operations as below:
- “Add a partner to cross-tenant access setting”.
- Invite external user, add user, and redeem external user invite.
- Ensure proper access controls and permissions in Azure tenants, particularly for Hybrid Administrator Role, to limit the possibility of unauthorized CRS setup.
- Regularly review and validate CTA and CTS configurations to identify any suspicious changes that might indicate unauthorized access attempts.
Microsoft Addressed Zero-Day Vulnerability in August 2023 Patch Tuesday Update.
Threat Reference: Global
Risks: Zero Day
Advisory Type: Malware/Threats
Priority: Standard
Microsoft have addressed the Windows Search Remote Code Execution Vulnerability (CVE-2023-36884). The vulnerability name was ‘Office and Windows HTML Remote Code Execution Vulnerability’.
The vulnerability was originally identified in July 2023 patch Tuesday as a zero day but was unpatched and only the workarounds were made available to address the remediation. As of now, August 2023, this vulnerability is now resolved. Microsoft has also reduced the CVSS3 score of the vulnerability from 8.3 to 7.5.
Recommendation
It is recommended to apply the recent patch Tuesday update on all devices & remove the former registry-based workarounds applied for this vulnerability.
Threat Actor Known as “APT29” Targeting NATO Organizations Through Espionage Campaigns
Threat Reference: NATO Countries
Risks: Malware
Advisory Type: Threat
Priority: Standard
APT29 is a Russian linked state-sponsored threat actor, that has been targeting organizations in NATO-aligned countries. Attacks have been carried via a phishing campaign, where malicious PDF documents are sent out disguised as official German embassy invitations.
Attack Scenario:
- Victim receives spear phishing email/emails containing two malicious PDF files impersonating the German embassy. These PDF files contain embedded JavaScript code.
- If opened, the malicious PDF triggers an “Open File” alert box. By launching this, a malicious HTML file is activated and through HTML smuggling, a ZIP file delivers a HTML application (HTA) which contains the Duke malware.
- After execution, the HTA will drop three executables into the C:\Windows\Tasks directory for DLL Sideloading Attack:
- AppVIsvSubsystems64.dll – A library loaded into msoev.exe to perform the execution without any failure.
- Mso.dll – Duke malware variant loaded into msoev.exe via DLL Sideloading.
- Msoev.exe – A legitimate signed Windows binary, automatically loading Mso.dll and AppVIsvSubsystems64.dll upon execution.
- The dropped Duke malware variant (mso.dll) uses Windows API hashing to hide API function calls and evade malware scanners.
- All string values are encrypted using XOR encryption and decryption at execution for dynamic content.
- The second PDF, which lacks a payload, serves as a reconnaissance tool. When a recipient opens this PDF, it notifies the threat actors about the success of the email attachment being opened.
- Finally, the actors using Zulip servers to establish C2 connection, and hides in legitimate web traffic to exfiltrate victim data and execute remote commands using actor -controlled chat room (toyy[.]zulipchat[.]com).
Recommendation:
- Enhance Network Security: Configure IDS and IPS to monitor and block suspicious network traffic via unexpected web services.
- Strengthen Email Security: Implement advanced email filtering and security measures to prevent phishing emails and malicious attachments from reaching your employees’ inboxes.
- Educate your employees: Raise awareness among your staff about the possible threat and inform them about the potential risks associated with opening suspicious emails or documents in general.
- Endpoint Detection Response: Implement EDR solutions to provide advanced threat detection and response capabilities, allowing you to monitor and analyze endpoint activities in real-time. They help identify and mitigate suspicious behaviours, malware, and unauthorized access.
- Proxy: Ensure your web gateway or proxy is configured to block traffic categorised as “unknown”.
- Monitor your IT infrastructure 24×7 for cybersecurity attacks and suspicious activities.
Google Fixed Multiple High and Medium Severity Vulnerabilities in Google Chrome and ChromeOS.
Threat Reference: Global
Risks: Memory Corruption, Arbitrary Code Execution
Advisory Type: Updates/Patches
Priority: Standard
Google has released patches to fix several High and Medium Severity Vulnerabilities in Google Chrome and ChromeOS.
Notable CVEs:
- [High] Use After Free in Media – CVE-2023-3421
- [High] Heap Buffer Overflow in Visuals – CVE-2023-4071, CVE-2023-4071
- [High] Use After Free in Guest View – CVE-2023-3422
- [High] Type Confusion in V8 – CVE-2023-3216, CVE-2023-4068, CVE-2023-4069, CVE-2023-4070
- [High] Out of Bounds Read & Write in WebGL – CVE-2023-4072
- [High] Out of Bounds Memory Access in ANGLE – CVE-2023-4073
- [High] Use After Free in Blink Task Scheduling – CVE-2023-4074
- [High] Use After Free in Cast -CVE-2023-4075
- [High] Use After Free in WebRTC – CVE-2023-4076
- [Medium] Insufficient Validation of Untrusted Input in Safe Browsing – CVE-2023-1814:
- [Medium] Type Confusion in DevTools – CVE-2023-0703:
- [Medium] Insufficient Data Validation in Extensions – CVE-2023-4077
- [Medium] Inappropriate Implementation in Extensions- CVE-2023-4078:
Recommendation
It is recommended to update Google Chrome and ChromeOS to their latest available versions/patch level.
Microsoft Released Patches for 87 Flaws, Including 2 zero-days and 23 Remote Code Execution Vulnerabilities
Threat Reference: Global
Risks: Privilege Escalation, Security Feature Bypass, Remote Code Execution, Information Disclosure, Denial of Service (DoS), Spoofing
Advisory Type: Updates/Patches
Priority: Standard
Microsoft has released Patch Tuesday for August 2023 with security updates for 87 flaws, including 2 actively exploited and 23 remote code execution vulnerabilities. Successful exploitation of these vulnerabilities could result in Elevation of Privilege, Security Feature Bypass, Remote Code Execution, Information Disclosure, Denial of Service (DoS) and Spoofing.
Notable CVEs:
- [Critical] Microsoft Message Queuing Remote Code Execution Vulnerability – CVE-2023-21709: [CVSS – 9.8], CVE-2023-35385: [CVSS – 9.8], CVE-2023-36910: [CVSS – 9.8], CVE-2023-36911: [CVSS – 9.8]
- [High] Microsoft Teams Remote Code Execution Vulnerability – CVE-2023-29328: [CVSS – 8.8], CVE-2023-29330: [CVSS – 8.8]
- [High] Microsoft Exchange Remote Code Execution Vulnerability – CVE-2023-35368: [CVSS – 8.8]
- [High] Windows Fax Service Remote Code Execution Vulnerability – CVE-2023-35381: [CVSS – 8.8]
- [High] Windows Bluetooth A2DP driver Elevation of Privilege Vulnerability – CVE-2023-35387: [CVSS – 8.8]
- [High] Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability – CVE-2023-36882: [CVSS – 8.8]
- [High] Microsoft OLE DB Remote Code Execution Vulnerability– CVE-2023-38169: [CVSS – 8.8]
- [High] Microsoft Exchange Server Spoofing Vulnerability – CVE-2023-38181: [CVSS – 8.8]
- [High] Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2023-38185: [CVSS – 8.8], CVE-2023-35388: [CVSS – 8.0]
- [High] Visual Studio Tools for Office Runtime Spoofing Vulnerability – CVE-2023-36897: [CVSS – 8.1]
- [High] Microsoft SharePoint Server Spoofing Vulnerability – CVE-2023-36891: [CVSS – 8.0], CVE-2023-36892: [CVSS – 8.0]
- [High] Microsoft Exchange Server Remote Code Execution Vulnerability – CVE-2023-38182: [CVSS – 8.0]
- [High] Windows Kernel Elevation of Privilege Vulnerability – CVE-2023-35359: [CVSS – 7.8]
- [High] Microsoft Office Remote Code Execution Vulnerability – CVE-2023-35371: [CVSS – 7.8]
- [High] Microsoft Office Visio Remote Code Execution Vulnerability – CVE-2023-35372: [CVSS – 7.8]
- [High] Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability – CVE-2023-35379: [CVSS – 7.8]
- [High] Windows Kernel Elevation of Privilege Vulnerability – CVE-2023-35380: [CVSS – 7.8], CVE-2023-35382: [CVSS – 7.8], CVE-2023-35386: [CVSS – 7.8]
- [High] .NET and Visual Studio Remote Code Execution Vulnerability – CVE-2023-35390: [CVSS – 7.8]
- [High] Microsoft Office Visio Remote Code Execution Vulnerability – CVE-2023-36865: [CVSS – 7.8]
- [High] Microsoft Outlook Remote Code Execution Vulnerability – CVE-2023-36895: [CVSS – 7.8]
- [High] Microsoft Message Queuing Information Disclosure Vulnerability – CVE-2023-35383: [CVSS – 7.5]
- [High] ASP.NET Elevation of Privilege Vulnerability – CVE-2023-36899: [CVSS – 7.5]
- [High] Microsoft Message Queuing Denial of Service Vulnerability– CVE-2023-36912: [CVSS – 7.5]
Recommendation
Keep applications and operating systems running at the current released patch level and run software with the least privileges.
Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.