July 2023
- Patch Tuesday – 7 /11
- Threat Actors Target USPS Customers via Malicious Advertisements
- Active Exploitation by Storm-0978 via Malicious Attachments
- Sonicwall and Fortinet Release Critical Firewall Patches
- Apple’s Deployment Rollback
- Microsoft Confirms Breach of Government Emails by Chinese Hackers
As always, Advanced is proud to be here for all your security needs. Reach out now ([email protected]) to determine how you can improve your security posture and keep your business running smoothly.
– The Advanced Security Task Force
| Patch Tuesday – 7/11 |
The 2nd Tuesday of every month is Patch Tuesday! Every Patch Tuesday, Microsoft addresses security vulnerabilities in their products via a large deployment of software updates. This month’s Patch Tuesday addressed 132 security vulnerabilities, 9 of which were considered critical. A full list of these updates can be seen here.
Advanced deploys patches to all environments as a priority following a testing phase. The criticality of security updates is determined by several factors, primarily the ease of exploitability by threat actors and if the vulnerability has been exploited in the wild. The critical vulnerabilities, and their details, can be seen below:
- CVE-2023-32057 – Microsoft Message Queuing Remote Code Execution Vulnerability
- CVE-2023-33157 – Microsoft SharePoint Remote Code Execution Vulnerability
- CVE-2023-33160 – Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVE-2023-35315 – Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability
- CVE-2023-35297 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
- CVE-2023-35352 – Windows Remote Desktop Security Feature Bypass Vulnerability
- CVE-2023-35365 – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
- CVE-2023-35366 – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
- CVE-2023-35367 – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
| Threat Actors Target USPS Customers via Malicious Advertisements |
- A sophisticated malware advertisement campaign has been discovered targeting end users tracking packages via USPS.
- Known as ‘Malvertising’, a threat actor will pay advertising fees to ensure their malicious ads are seen by end users Googling USPS tracking (Figure 1, below)
- The advertisement and site appear legitimate, and the user is asked to enter their tracking number. However, upon entering this information, the site will inform the user that their package could not be delivered due to “Incomplete Information”. The user will then be asked to fill in pertinent details, such as address and credit card information (Figures 2 and 3, below)
- The user will then be asked to pay a small service fee (usually less than $0.50). This not only verifies the credit card information is accurate, but is also a small enough fee that the user will likely pay it without question. The real value to the threat actor will be reselling this information in criminal markets
- The below sites have been confirmed to gather user credit card data, and have since been flagged by Cloudflare to warn users that the sites are illegitimate (Figure 4, below):
- logictrackngs[.]com
- super-trackings[.]com
- web-trackings[.]com
- tracks4me[.]biz
- forgetrackng[.]com
- Malvertising is one of the most dangerous campaigns end users face when using search engines. Brand impersonation can appear very legitimate, and threat actors with enough capital can prominently display their fake sites above real sites in search engine results. Advanced recommends cautious behavior whenever conducting a search.
- These sponsored search results will read “Sponsored” directly above the URL. Clicking the 3 vertical dots as shown below will allow end users to investigate the source of the advertisement at a deeper level, and separate legitimate businesses from known scams.
- Please refer to the original article for additional information.
| Active Exploitation by Storm-0978 via Malicious Attachments |
- Microsoft has released details on a vulnerability being actively exploited in the wild through malicious Office documents sent over email. The threat actor has been identified by codename Storm-0978.
- The vulnerability, deemed CVE-2023-36884, enables remote access to client environments once a malicious attachment is opened on the end user PC.
- To limit exploitation of this vulnerability, Microsoft has not disclosed details on how these emails are crafted and how the backdoor is configured. Microsoft has also confirmed that no patch exists for the vulnerability at this time.
- Advanced’s Endpoint Detection and Response s (EDR) solution has been configured to detect and block any similar behaviors in the interim.
- Advanced advises all to take extreme precautions and avoid opening attachments from unknown or suspicious sources.
| Sonicwall and Fortinet Release Critical Firewall Patches |
- SonicWall and Fortinet, two widely used cybersecurity companies, released patches mid-July for a large suite of products.
- Vulnerabilities are scored from a vendor neutral scorecard known as the Common Vulnerabilities Scoring System (CVSS). This model identifies criticality of vulnerabilities on a scale of 0 (not at all impactful) to 10 (Massively Impactful).
- Details on this scoring system can be found here.
- CVSS scores from these patch releases range from 4.9 (Medium) to 9.8 (Critical). Immediate patching is recommended for all affected devices.
- Full details on the vulnerabilities and devices affected be found here for SonicWall devices and here for Fortinet devices.
| Apple’s Deployment Rollback |
- Apple rolled out an urgent software update to its iOS and iPadOS mobile operating systems on Monday, July 10th via their ‘Rapid Security Response’ program.
- Apple advised that the addressed vulnerability was being actively exploited in the wild. Apple did not disclose detailed information to minimize information on tactics for potential threat actors.
- On Tuesday, July 11th, Apple recalled this update amidst reports that the patch was causing errors navigating websites.
- The Rapid Security Response program is an automated update process users can opt in or out of for quick and lightweight patches to address critical issues in security. The process has received criticism, as the rushed updates can lead to bugs or untested code adversely affecting the user experience.
- Details on Apple’s Rapid Security Response program, and instructions for opting in or out, can be seen here.
| Microsoft Confirms Breach of Government Emails by Chinese Hackers |
- Microsoft released a report on July 11th detailing an observed compromise of US Government email accounts.
- The threat actors, identified as Storm-0558, successfully compromised email accounts via the Outlook Web App (OWA), a web-based portal for accessing emails.
- Microsoft discovered anomalous activity dating as far back as May 15th, 2023. The anomalous activity confirmed illegitimate access to email accounts spanning 25 organizations, including the US State and Commerce Department.
- Compromised companies have been contacted directly. Microsoft has confirmed the source of attack has been mitigated, and there are no further indications of compromise at this time.
- Further details and Microsoft’s official disclosure can be seen here.
