Monthly Advisory • 10 MIN READ

June Threat Advisory – Top 5

by Eleanor Barlow • Jun 2023

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of June 2023.

Fortinet Released Patch to Fix Critical Pre-Authentication Remote Code Execution (RCE) Vulnerability in SSL VPN Devices.

Threat Reference: Global

Risks: Arbitrary Code Execution, Privilege Escalation, Denial of Service

Advisory Type: Updates/Patches

Priority: Elevated

Fortinet has released a patch for critical vulnerability (CVE-2023-27997) along with multiple vulnerabilities affecting Fortinet Products. Fortinet Security Researchers have observed that CVE-2023-27997 may have been exploited in a limited number of cases. Successful exploitation of the vulnerabilities may lead to Arbitrary Code Execution, Privilege Escalation, and/or Denial of Service.

Notable CVE ID and details:

  • [Critical] – [CVSS: 9.2] – CVE-2023-27997: FortiOS & FortiProxy – Heap buffer overflow in sslvpn pre-authentication which may allow an attacker to execute arbitrary code.
  • [High] – [CVSS: 8.3] – CVE-2023-29181: FortiOS – Format String Bug in Fclicense daemon which may allow an attacker to execute arbitrary code.
  • [High] – [CVSS: 7.6] – CVE-2022-41327: FortiOS/FortiProxy – Read Only administrator can intercept sensitive data. An authenticated attacker may be able to escalate privilege.
  • [High] – [CVSS: 7.3] – CVE-2023-29180: FortiOS – [Denial of Service] Null pointer dereference in sslvnd which may allow an unauthenticated remote attacker to crash SSL-VPN.

Affected products include FortiOS-6K7K version 7.0.10, FortiOS-6K7K version 7.0.5, FortiOS-6K7K version 6.4.12, FortiOS-6K7K version 6.4.10, FortiOS-6K7K version 6.4.8, FortiOS-6K7K version 6.4.6, FortiOS-6K7K version 6.4.2, FortiOS-6K7K version 6.2.9 through 6.2.13, FortiOS-6K7K version 6.2.6 through 6.2.7, FortiOS-6K7K version 6.2.4, FortiOS-6K7K version 6.0.12 through 6.0.16, FortiOS-6K7K version 6.0.10, FortiProxy version 7.2.0 through 7.2.3, FortiProxy version 7.0.0 through 7.0.9, FortiProxy version 2.0.0 through 2.0.12, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiOS version 7.2.0 through 7.2.4, FortiOS version 7.0.0 through 7.0.11, FortiOS version 6.4.0 through 6.4.12, FortiOS version 6.0.0 through 6.0.16, FortiOS 6.0 all versions.

Recommendation

It is recommended to update all affected products to their latest available patch version.

New JavaScript Dropper PindOS Delivering Bumblebee and IcedID Malware.

Threat Reference: Global

Risks: Malware

Advisory Type: Threats

Priority: Standard

Security researchers have observed a new JavaScript-based dropper called PindOS delivering IcedID and Bumblebee malware into the affected/victim computers. Both Bumblebee and IcedID malware are known infostealers.

How it works.

  1. Victim receives an email containing a malicious attachment (usually ZIP or ISO containing [.]lnk file pointing to remote ps1).
  2. After opening the malicious attachment, PindOS javascript [.]js based dropper gets de-obfuscated containing a single “exec” (execute) function – having four parameters such as UserAgent, URL1, URL2 and RunDLL.
  3. Upon execution of the dropper, it will attempt to download the payload initially from URL1, If URL1 is failed or unreachable then the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32[.]exe.
  4. The downloaded payload is saved to: %appdata%/Microsoft/Templates/<6-char-random-number>[.]dat
  5. The Execute (Exec) function later is called twice which invoke 4 separate URLs to retrieve the payload.
  6. The downloaded payloads are generated pseudo-randomly on-demand resulting in a new sample hash each time when a payload gets fetched to avoid signature-based detections.

It is observed that User-Agent: PindOS is used for this attack.

Domains/URLs:

  • hxxps://qaswrahc.com/wp-content/out/mn[.]php
  • hxxp://tusaceitesesenciales.com/mn[.]php
  • hxxp://carwashdenham.com/mn[.]php
  • hxxps://intellectproactive.com/dist/out/mn[.]php
  • hxxps://masar-alulaedu.com/wp-content/woocommerce/out/berr[.]php
  • hxxps://egyfruitcorner.com/wp-content/tareq/out/berr[.]php
  • hxxps://tech21africa.com/wp-content/uploads/out/berr[.]php
  • hxxps://www.posao-austrija.at/images/out/lim[.]php
  • hxxps://logisticavirtual.org/wp-content/out/lim[.]php
  • hxxps://adecoco.us/wp-content/out/lim[.]php
  • hxxps://acsdxb.net/wp-content/out/lim[.]php

Recommendations

It is recommended to onboard all your external facing web servers with SecurityHQ SOC to monitor similar attack techniques. SecurityHQ recommends blocking unknown file extensions on Email Gateway. Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints. Monitor your IT infrastructure 24×7 for cybersecurity attacks and suspicious activities.

Microsoft Released June 2023 Patch Tuesday for 78 flaws including 38 Remote Code Execution Vulnerabilities.

Threat Reference: Global

Risks: Remote Code Execution, Privilege Escalation, Security Feature Bypass, Information Disclosure, Denial of Service.

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has recently unveiled the June 2023 Patch Tuesday, a comprehensive update aimed at addressing a total of 78 vulnerabilities which includes 38 Remote Code Execution Vulnerabilities. The successful exploitation of these vulnerabilities could result in Remote Code Execution, consequently facilitating Privilege Escalation, Information Disclosure, Security Feature Bypass or Denial of Service activities.

  • [Critical] – CVE-2023-29357: [CVSS – 9.8] – Microsoft SharePoint Server Elevation of Privilege Vulnerability.
  • [Critical] – CVE-2023-29363: [CVSS – 9.8], CVE-2023-32014: [CVSS – 9.8], and CVE-2023-32015: [CVSS – 9.8] – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability.
  • [High] – CVE-2023-32031: [CVSS – 8.8] – Microsoft Exchange Server Remote Code Execution Vulnerability.
  • [High] – CVE-2023-29362: [CVSS – 8.8] – Remote Desktop Client Remote Code Execution Vulnerability.
  • [High] – CVE-2023-29372: [CVSS – 8.8] – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability.
  • [High] – CVE-2023-29373: [CVSS – 8.8] – Microsoft ODBC Driver Remote Code Execution Vulnerability.
  • [High] – CVE-2023-32009: [CVSS – 8.8] – Windows Collaborative Translation Framework Elevation of Privilege Vulnerability.
  • [High] – CVE-2023-33131: [CVSS – 8.8] – Microsoft Outlook Remote Code Execution Vulnerability.
  • [High] – CVE-2023-28310: [CVSS – 8] – Microsoft Exchange Server Remote Code Execution Vulnerability.
  • [High] – CVE-2023-24936: [CVSS – 8.1] – .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability.
  • [High] – CVE-2023-29351: [CVSS – 8.1] – Windows Group Policy Elevation of Privilege Vulnerability.
  • [High] – CVE-2023-29358: [CVSS – 7.8] – Windows GDI Elevation of Privilege Vulnerability.
  • [High] – CVE-2023-29359: [CVSS – 7.8] – GDI Elevation of Privilege Vulnerability.
  • [High] – CVE-2023-29360: [CVSS – 7.8] – Windows TPM Device Driver Elevation of Privilege Vulnerability.
  • [High] – CVE-2023-29371: [CVSS – 7.8] – Windows GDI Elevation of Privilege Vulnerability.
  • [High] – CVE-2023-29361: [CVSS – 7] – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability.

Recommendations

Keep applications and operating systems running at the current released patch level. Run software with the least privileges.

New APT Group [CL-STA-0043] Strikes Middle East and Africa, Targeting Microsoft Exchange & IIS Servers.

Threat Reference: Middle East & Africa (MEA)

Risks:  Malware

Advisory Type: Threats

Priority: Standard

Security researchers have detected a new and highly active threat actor, identified as [CL-STA-0043], conducting targeted attacks against governmental organizations in the Middle East and Africa.

This threat actor employs sophisticated techniques to exploit on-premises Internet Information Services (IIS) and Microsoft Exchange Servers, aiming to gain unauthorized access and exfiltrate sensitive information.

TTPs are as follows:

  1. Initially, attackers exploit multiple zero-day vulnerabilities in Exchange and IIS servers.
  2. They then deploy various kinds of web shells, providing access to the compromised network via a remote shell.
  3. Upon successful penetration into the network, they identify critical assets such as administrative accounts and important servers.
  4. The actors utilize local privilege escalation tools like JuicyPotatoNG and SharpEfsPotato to create administrative accounts.
  5. The attacks involve the use of well-known privilege escalation techniques, such as “sticky keys,” and an IIS privilege escalation tool called “Iislpe.exe.”
  6. To facilitate lateral movement, threat actors introduce a new penetration testing toolset named “Yasso,” capable of performing remote actions.
  7. Finally, the actors abuse the Exchange Management Shell (exshell.psc1) or execute multiple PowerShell scripts to exfiltrate targeted emails.

Recommendations

1. Follow the CIS Benchmark for IIS Servers: Implementing the CIS (Center for Internet Security) Benchmark for IIS Servers is strongly recommended. This industry-standard provides comprehensive best practices and guidelines to enhance the security posture of your IIS servers, ensuring they are properly configured and protected against known vulnerabilities.

2. Enhance your endpoint security by deploying advanced Endpoint Detection & Response (EDR) tools. These tools leverage sophisticated techniques and algorithms to detect and respond to the latest malware threats, as well as identify suspicious activities on endpoints.

3. Establish 24/7 round-the-clock monitoring of your IT infrastructure to effectively detect and respond to cybersecurity attacks and suspicious activities.

VMware Fixed Multiple Critical and High Severity Vulnerabilities in Aria Operations Networks.

Threat Reference: Global

Risks: Remote Code Execution, Information Disclosure

Advisory Type: Updates/Patches

Priority: Standard

VMware has released patches for critical and high severity vulnerabilities affecting VMware Aria Operations for Networks. Exploiting these flaws could result in Remote Code Execution (RCE) and Information Disclosure. Affected products include VMware Aria Operations Networks.

Recommendation

It is recommended to update affected product to its latest available patch version.

Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.