Author: Victor Kuciel

Categories
Cybersecurity Advisories

CVE-2023-21554: Microsoft Patches Critical RCE Vulnerability in MSMQ Service

Microsoft has released a set of security updates to fix a total of 97 flaws impacting its software; 45 of which are RCE vulnerabilities. Researchers have discovered three vulnerabilities in the Microsoft Message Queuing service (MSMQ) and were patched in Microsoft’s Patch Tuesday update. The most severe flaw out of the three is CVE-2023-21554 (known as QueueJumper; CVSSv3 Score: 9.8 – Critical) which allows remote code execution after sending a single package through the TCP port 1801. 

According to Microsoft, MSMQ is a message infrastructure and development platform for creating distributed, loosely-coupled messaging applications for the Microsoft Windows operating system. Message Queuing applications can use the Message Queuing infrastructure to communicate across heterogeneous networks and with computers that may be offline. Message Queuing provides guaranteed message delivery, efficient routing, security, transaction support, and priority-based messaging. 

QueueJumper Vulnerability & Impact 

CVE-2023-21554 allows an attacker to execute code remotely and without authorization by reaching the TCP port 1801. A threat actor could gain control of the process through a single packet to the 1801/tcp port with the exploit. By doing this, it gives hackers control over mqsvc.exe. 

A full internet scan showed that more than 360,000 IPs have 1801/tcp open to the internet and are running the MSMQ service. This includes the number of hosts facing the internet and does not account for computers hosting the MSMQ service on internal networks. Some popular software relies on MSMQ, so when a user installs that software, the MSMQ service is enabled on Windows and may be done without the user’s knowledge. It is important to note that MSMQ is disabled by default in all operating systems. Full technical details will be released later this month. 

Mitigation 

  • All Windows admins are recommended to check their servers and clients to see if the MSMQ service is installed. You can check if there is a service running named ‘Message Queuing’, and TCP port 1801 is listening on the computer. If it is installed, double-check if you need it. Closing unnecessary attack surfaces is always a very good security practice. 
  • Users are recommended to install Microsoft’s official patch as soon as possible. If your business requires MSMQ but is unable to apply Microsoft’s patch right now, you may block the inbound connections for 1801/tcp from untrusted sources with Firewall rules (for example, blocking Internet connections to 1801/tcp for Internet-facing machines), as a workaround. 

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.  

Additionally, we are running a Nessus external scan on internet facing servers and will report if we find anything. 

As always, if we detect activity related to these exploits, we will alert you if warranted.  

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.    

Microsoft Customer Guidance 

CVE-2023-21554 – Security Update Guide – Microsoft Security Response Center 

Resources & Related Articles 

Categories
Cybersecurity Advisories

CVE-2023-28252: Windows Zero-Day Vulnerability Exploited in Nokoyawa Ransomware Attacks

Microsoft has patched an actively exploited zero-day vulnerability in the Windows Common Log File System (CLFS) that allows attackers to elevate privileges to SYSTEM on target machines and deploy Nokoyawa ransomware payloads. CISA added the flaw, tracked as CVE-2023-28252 (CVSSv3 score: 7.8 – High), to its KEV and orders FCEB agencies to secure their systems against it. The vulnerability affects all supported Windows server and client versions and can be exploited by local attackers in low-complexity attacks without user interaction.

Exploited with Nokoyawa ransomware

This zero-day was utilized by a sophisticated cybercrime group that carries out ransomware attacks. Security researchers have found that the gang has used other exploits targeting the CLFS driver since June 2022 with similar but unique characteristics that were likely developed by the same exploit author. Researchers have identified five different CLFS exploits used by the group in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries.

Nokoyawa ransomware surfaced in February 2022 as a strain that is capable of targeting 64-bit Windows-based systems in double extortion attacks. The threat actors would also steal sensitive files from compromised networks and threaten to leak them online unless a ransom is paid. Nokoyawa shares code with JSWorm, Karma, and Nemty ransomware, and has been rewritten in Rust. The CVE-2023-28252 zero-day was used to deploy the Nokoyawa ransomware, which has been developed from its early variants based on the JSWorm codebase.

Victimology

The vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.

Recommendation

Organizations are urged to apply the patch released by Microsoft for CVE-2023-28252 to protect their systems from potential attacks.

IOCS

Categories
Cybersecurity Advisories

Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)

CVE-2023-23397 (CVSSv3 Score: 9.8 – Critical) – Microsoft Outlook Elevation of Privilege Vulnerability

This zero-day is a critical privilege escalation vulnerability in Microsoft Outlook that could allow an attacker to access the victim’s Net-NTLMv2 challenge-response authentication hash and then impersonate the user. To achieve this, a threat actor could send a specially crafted email that will cause a connection from the victim to an external UNC location of adversarial control. The victim’s Net-NTLMv2 hash will be leaked to the attacker who can then relay this to another service and authenticate as the victim. What makes this dangerous is that the flaw will be triggered before the email is viewed in the Preview Pane, no user interaction is required.

Microsoft says that this vulnerability was exploited by STRONTIUM, which is a state-sponsored Russian hacking group. Between mid-April and December 2022, CVE-2023-23397 was exploited in attacks to target and breach the networks of fewer than 15 government, military, energy, and transportation organizations.

Affected Products

CVE-2023-23397 affects all supported versions of Microsoft Outlook for Windows. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.

Mitigations

  • Customers can disable the WebClient service running on their organization’s machines.
    • This will block all WebDAV connections including intranet which may impact users or applications.
  • Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group.
  • Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
    • This process is claimed to be insufficient due to the vulnerability’s ability to be exploited on any port if WebClient is running.

Additional Information

  • Microsoft recommends all customers (on-premises, hybrid or online) to install Outlook updates.
  • Exchange March SU does not address CVE-2023-23397, you need to install Outlook updates to address this vulnerability in Outlook.

Detection

Microsoft has released a PowerShell script to help admins validate if any users in their Exchange environment have been targeted using this Outlook vulnerability. The script checks Exchange messaging items to see whether a property is populated with a UNC path. Admins could also use this script to clean up the property for items that are malicious or even delete the items permanently.

POC Available

Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

MITRE Summary

Tactic

Technique ID

Technique Name

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Credential Access

T1187

T1212

Forced Authentication

Exploitation for Credential Access

Defense Evasion

Lateral Movement

T1550.002

Pass the Hash

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.  

 

Microsoft Customer Guidance

Resources & Related Articles

Categories
Cybersecurity Advisories

LastPass Reveals Additional Details of Their Second Hack

LastPass shared additional updates regarding the second security incident that was disclosed in December where an unnamed threat actor combined data stolen from a breach in August 2022 with information from another data breach, and a vulnerability in a third-party media software package to launch a coordinated attack. In this attack, the threat actor targeted a senior DevOps engineer by breaching their personal home computer and exploited vulnerable third-party software. They installed a keylogger, bypassed existing controls, and gained unauthorized access to cloud backups. 

The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault. The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.

In the aftermath of the incident, LastPass claimed to have upgraded its security posture by rotating critical and high privilege credentials and reissuing certificates obtained by the threat actor. In addition, they applied extra S3 hardening measures to put in place logging and alerting mechanisms. LastPass has released a new security advisory and a PDF detailing further information about the breach and the stolen data. The parent company of LastPass, GoTo, announced that it will inform individuals if their data has been breached and provide “actionable steps” to ensure greater security for their accounts. It is highly recommended for LastPass users to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.

Summary of data accessed

  • DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.
  • Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.
  • Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.

Additional details can be found here.

Recommendations

LastPass users are strongly urged to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.

Mitigations

LastPass has provided two security bulletins to assist customers in their own incident response efforts.

  • Security Bulletin: Recommended Actions for LastPass Free, Premium, and Families Customers. This bulletin guides our Free, Premium, and Families customers through a review of important LastPass settings designed to help secure their accounts by confirming best practices are being followed.
  • Security Bulletin: Recommended Actions for LastPass Business Administrators. This bulletin guides administrators for our Business and Teams customers through a risk assessment of LastPass account configurations and third-party integrations. It also includes information that is relevant to both non-federated and federated customers.

Resources & Related Articles

Categories
Cybersecurity Advisories

Fortinet Patches 40 Flaws Affecting FortiWeb, FortiOS, FortiNAC, and FortiProxy

Fortinet released security advisories for 40 vulnerabilities to inform customers of available security patches. Affected Fortinet products include FortiWeb, FortiOS, FortiNAC, and FortiProxy, among others. Two of the vulnerabilities are rated Critical, 15 are rated High, 22 are rated Medium, and one is rated Low in severity. 

CVE-2022-39952 (CVSS score: 9.8) is a severe bug in the FortiNAC solution that could lead to arbitrary code execution. It can be exploited by an unauthenticated attacker to write arbitrary files on the system and achieve remote code execution with the highest privileges. Organizations using FortiNAC 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions on the 8.8, 8.7, 8.6, 8.5, and 8.3 branches are urged prioritize applying the available security updates (FG-IR-22-300). Additionally, researchers from Horizon3 have recently released a PoC exploit code that is available on the company’s Github repository. FortiNAC administrators are strongly recommended to immediately upgrade to a version of the product that is not affected by the CVE-2022-39952 vulnerability. 

The second flaw, CVE-2021-42756 (CVSS score: 9.3), was discovered more than one year ago and is a set of stack-based buffer overflow in FortWeb’s proxy daemon that could allow an unauthenticated remote attacker to achieve arbitrary code execution via specially crafted HTTP requests. It has been fixed (FG-IR-21-186) in FortiWeb version 7.0.0 or above, 6.3.17 or above, 6.2.7 or above, 6.1.3 or above, and 6.0.8 or above. 

Affected Software 

See: PSIRT Advisories. 

Recommendation 

Organizations are recommended to view the PSIRT Advisories and apply available security updates for affected products. 

Resources & Related Articles 

Categories
Cybersecurity Advisories

Hackers Use Microsoft OneNote Attachments to Spread Malware

Description 

Malicious actors are using a new file format in the form of Microsoft OneNote attachments to spread malware to targets. Since OneNote allows users to insert attachments into a NoteBook, threat actors are abusing this feature by attaching malicious VBS attachments that automatically launch the script when double-clicked to download malware from a remote site and install it. Because the attachments look like a file’s icon in OneNote, threat actors overlay a large ‘Double click to view file’ bar over the inserted VBS attachments to hide them. If the ‘Click to View Document’ bar is moved out of the way, it can be observed that the malicious attachment includes multiple attachments. The threat actors did this in a way that if a user double clicks anywhere on the bar, it’s second click will land on the attachment, resulting in launching the malware. Luckily, when launching the OneNote attachments, the program provides a warning before installation. However, if a victim ignores the warning and clicks OK, it will launch the VBS script to download and install malware. This will allow the threat actor to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams.  

Fake DHL Email with OneNote Attachment 

Malicious OneNote Email Attachment

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:  

MDR Services 

  • We have added indicators related to known malicious threat actors into our blocklists in our MDR solution, FortiSIEM.  
  • Indicators are provided in the Indicators of Compromise section below if you would like to proactively block them in your firewall.  

EDR Services 

  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.   

As always, if we detect activity related to these exploits, we will alert you when applicable.  

Recommendations 

  • The best way to protect against malicious attachments is to simply not open files from people you do not know. If a file is mistakenly opened, do not disregard the warnings displayed by the operating system or application.  
  • If you see a warning that opening an attachment or link could harm your computer or files, simply do not press OK and close the application.  
  • If you feel it may be a legitimate email, share it with a security or Windows admin to help you verify if the file is safe.  
  • Consider blocking “.one” attachments. See: 
  • OneNote users are recommended to enable multi-factor authentication, use antivirus protection, and follow the best security practices for preventing phishing attacks.    

Detections 

SOC Prime has released rules to detect cyber attacks abusing OneNote attachments. Click here to access the full list of relevant detection content.  

MITRE Summary 

  • TA0002 – Execution 
  • T1047 – Windows Management Instrumentation  
  • TA0005 – Defense Evasion  
  • T1027 – Obfuscated Files or Information  
  • T1036 – Masquerading  
  • T1070.006 – Timestomp 
  • T1497 – Virtualization/Sandbox Evasion 
  • T1562.001- Disable or Modify Tools  
  • TA0006 – Credential Access  
  • T1003 – OS Credential Dumping  
  • TA0007 – Discovery 
  • T1057 – Process Discovery  
  • T1082 – System Information Discovery  
  • T1012 – Query Registry  
  • T1016 – System Network Configuration Discovery  
  • T1083 – File and Directory Discovery  TA0009 – Collection 
  • T1005 – Data from Local System  
  • TA0011 – Command and Control  
  • T1071 – Application Layer Protocol  

Indicators of Compromise (IoCs) 

Resources & Related Articles 

Categories
Cybersecurity Advisories

Microsoft Defender ASR Rules Cause Desktop Icon and Office Apps to Disappear

Update:
1/17/2023 – Microsoft provides a script that recovers deleted start menu and taskbar shortcuts. See Recovering from Attack Surface Reduction rule shortcut deletions.

Description 

Reports of Microsoft Defender for Endpoint attack surface reduction (ASR) rules removing icons and application shortcuts from the Start Menu and Taskbar have been increasing as Microsoft investigates. This issue stems from the latest update (Defender Update KB2267602 Version 1.381.2140.0) and affects businesses and organizations using Microsoft 365 and Defender for protection against malware, viruses, and other threats. IT admins are currently trying to work around the issue by setting the “Block Win32 API calls from Office macro” rule to audit only. When working correctly, this ASR rule (known as “Block Win32 API calls from Office macro” in Configuration Manager and “Win32 imports from Office macro code” in Intune) should block malware from using VBA macros to call Win32 APIs. 

Details and Recommendation 

Microsoft has recently announced that they reverted the rule to prevent further impact and will investigate further. Although there currently is no mitigation for the problem, Microsoft recommends that you take action to place the offending ASR rule into Audit Mode and prevent further impact until the update has completed deployment. You can put the ASR rule to Audit Mode using one of the following methods: 

  • Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode 
  • Using Intune 
  • Using Group Policy 
  • Set the rule to disabled mode using the following Powershell command: 
    “Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled” 

Until the issue is completely fixed and all deleted shortcuts can be restored, Microsoft advised customers to directly launch Office apps using the Office app or the Microsoft 365 app launcher 

Summary 

The latest Defender Update KB2267602 (Version 1.381.2140.0) bug deleted shortcuts from the desktop, start menu, and taskbar. Microsoft has since reverted the rule and recommends users to place the offending ASR rule into Audit Mode. 

Microsoft has advised users to follow the SI MO497128 for more details and instructions. This is an ongoing problem and updates should be expected. 

Resources & Related Articles 

  Buggy Microsoft Defender ASR rule deletes Windows app shortcuts  

  Microsoft Defender ASR rules cause apps and icons to vanish 

  Latest Defender Update KB2267602 Bug Deletes Shortcuts HTMD Blog 

  Microsoft investigating Windows Start menu and taskbar shortcuts disappearing 

  (Twitter) Microsoft M365 Status: https://twitter.com/MSFT365Status 

Categories
Cybersecurity Advisories

Microsoft Exchange Zero-Days (CVE-2022-41040 and CVE-2022-41082)

Update

10/4/2022 – Microsoft updated their blog with three mitigation options.

10/8/2022 – Updated mitigations. A correction was made to the string in step 6 and step 9 on the URL Rewrite rule mitigation Option 3.

Description

Two new zero-day vulnerabilities in Microsoft Exchange are actively being exploited in the wild. The first vulnerability is reported to be a Server-Side Request Forgery and is identified as CVE-2022-41040. The second allows remote code execution (RCE) when Powershell is accessible to the attacker and is identified as CVE-2022-41082. Microsoft informed that the two vulnerabilities have been collectively dubbed ProxyNotShell, mainly because “it is the same path and SSRF/RCE pair” as ProxyShell but with authentication, suggesting an incomplete patch. The two flaws are linked together in an exploit chain, with the Server-Side Request Forgery bug enabling an authenticated threat actor to remotely trigger arbitrary code execution.

  • CVE-2022-41040 (CVSS score: 8.8 High) – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2022-41082 (CVSS score: 8.8 High) – Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft emphasized that it’s working on an accelerated timeline to implement a solution, while urging on premises Microsoft Exchange customers to add an IIS Manager blocking rule as a short-term stopgap to mitigate potential threats.

According to Microsoft, Exchange Online customers do not need to take any action.

 

SecurIT360 SOC Managed Services

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:

MDR Services

  • We have added IPs known to exploit this vulnerability into our blocklists in our MDR solution, FortiSIEM.
  • Indicators are provided in the Indicators of Compromise section below if you would like to proactively block them in your firewall.

EDR Services

  • We have implemented known IoC information to help with detection. If we see activity related to these exploits, we will contact you directly.

We will be providing frequent updates. If you use on-prem exchange, please review the details below which provide mitigations and detections.

 

Mitigation

Although there is no official patch as of yet, Microsoft published a blog post detailing mitigation and detection steps.

To reduce the risk of exploitation, Microsoft proposed blocking the known attack patterns through a rule in the IIS Manager:

  1. Open IIS Manager
  2. Select Default Web Site
  3. In the Feature View, click URL Rewrite
  4. In the Actions pane on the right-hand side, click Add Rule(s)…
  5. Select Request Blocking and click OK
  6. Add the string “(?=.*autodiscover)(?=.*powershell)” (excluding quotes).
  7. Select Regular Expression under Using.
  8. Select Abort Request under How to block and then click OK.
  9. Expand the rule and select the rule with the pattern: (?=.*autodiscover)(?=.*powershell) and click Edit under Conditions.
  10. Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK.
  11. Additionally, Microsoft recommends disabling remote PowerShell access for non-admin users. The operation should take less than five minutes and the restriction can be enforced for only one or multiple users.

Detection and Advanced Hunting

For detection and advanced hunting guidance, customers should reference Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082.

Indicators of Compromise (IoCs)

Hash (SHA256):

c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1

65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5

b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca

be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257

074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82

45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9

9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0

29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3

c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2

76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e

IP:

125[.]212[.]220[.]48

5[.]180[.]61[.]17

47[.]242[.]39[.]92

61[.]244[.]94[.]85

86[.]48[.]6[.]69

86[.]48[.]12[.]64

94[.]140[.]8[.]48

94[.]140[.]8[.]113

103[.]9[.]76[.]208

103[.]9[.]76[.]211

104[.]244[.]79[.]6

112[.]118[.]48[.]186

122[.]155[.]174[.]188

125[.]212[.]241[.]134

185[.]220[.]101[.]182

194[.]150[.]167[.]88

212[.]119[.]34[.]11

C2:

137[.]184[.]67[.]33

URL:

hxxp://206[.]188[.]196[.]77:8080/themes.aspx

MITRE Summary

TacticIDName
Resource DevelopmentT1586.002Compromise Accounts: Email Accounts
ExecutionT1059.003Command and Scripting Interpreter: Windows Command Shell
ExecutionT1047Windows Management Instrumentation
PersistenceT1505.003Server Software Component: Web Shell
Defense EvasionT1070.004Indicator Removal on Host: File Deletion
Defense EvasionT1036.005Masquerading: Match Legitimate Name or Location
Defense EvasionT1620Reflective Code Loading
Credential AccessT1003.001OS Credential Dumping: LSASS Memory
DiscoveryT1087Account Discovery
DiscoveryT1083File and Directory Discovery
DiscoveryT1057Process Discovery
DiscoveryT1049System Network Connections Discovery
Lateral MovementT1570Lateral Tool Transfer
CollectionT1560.001Archive Collected Data: Archive via Utility

Resources & Related Articles