Microsoft fixes 3 zero-day vulnerabilities and 77 flaws

SISA Weekly Threat Watch - 20 February 2023

The increased number of platforms targeted by ransomware operators and Advanced Persistent Threat (APT) groups is a major source of concern for organizations. This is due in part to the adaptability of malware and ransomware to exploit different platforms, as well as the sophisticated techniques used by threat groups to remain undetected. Threat actors have also been exploiting vulnerabilities in multiple platforms this week using PowerShell scripts, backdoors, phishing emails, and RAT malware installation.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Hackers abuse Sunlogin software vulnerabilities for Sliver C2 Framework deployment

Threat actors are using vulnerabilities in Sunlogin software to install the Sliver C2 framework for conducting post-attack operations. Sunlogin software had a remote code execution (RCE) vulnerability revealed in 2022 (CNVD-2022-10270/CNVD-2022-03672). After the exploit code was made public, attacks utilizing the flaw were detected. These attacks often resulted in the installation of Gh0st RAT, but sometimes the XMRig CoinMiner was installed instead.

Threat actors disabled security software by installing a PowerShell script utilizing BYOVD (Bring Your Own Vulnerable Driver) after exploiting the Sunlogin RCE vulnerability. Attackers installed Sliver after exploiting the Sunlogin RCE vulnerability by deploying a PowerShell script. The binary produced by the backdoor was utilized in the attacks as-is, without further wrapping. It is recommended to keep software up to date with the latest patches to avoid vulnerability exploitation.

2. Linux variant of Clop ransomware spotted

The Clop ransomware’s first Linux variant has been found in the wild, but it uses a faulty encryption algorithm that has allowed for its reverse engineering. An encryption flaw in the ELF executable makes it simple to release locked files without paying ransom. Although there are a few minor differences, most of which may be due to OS differences like API calls, the ELF Clop variant is designed using a similar logic to the Windows variant.

The ransomware’s Linux variant is made to target particular folders and file types for encryption, and it comes with a hard-coded master key that can be used to decrypt files without compensating the threat actors. If anything, the development shows a rising pattern of threat actors turning their attention away from Windows and onto other platforms.

3. Reddit reports internal security breach with access to internal documents and code

Reddit reports a security breach in which attackers were able to access internal information including documents, code and business systems. However, there is no evidence of a breach in the production systems or user data. On February 5, 2023, Reddit was alerted to a sophisticated phishing attack aimed at its employees. The attackers sent out fake emails that seemed legitimate, directing employees to a website that mimicked Reddit’s internal network gateway. The goal was to steal employee credentials and second-factor tokens.

The attackers successfully obtained the credentials of a single employee, giving them access to internal documents, code, and business systems. However, there is no evidence of a breach of Reddit’s primary production systems, where most of its data is stored and processed. Organizations should consider implementing multi-factor authentication (MFA) and enhance their password policy to prevent password-based attacks. It is also recommended to regularly monitor systems to detect unusual activity.

4. ‘Al-Toufan’ hackers take down Bahrain International Airport website

A hacking group known as Al-Toufan has claimed responsibility for taking down the Bahrain International Airport site, along with the sites of the state-run Bahrain News Agency and the Bahrain Chamber of Commerce. The group posted images showing 504 Gateway Timeout Errors, stating that the hacking was “in support of the revolution of our oppressed people of Bahrain.”

The Al-Toufan operators are said to be the same hackers who targeted government websites during November elections that were boycotted by a banned opposition group. It is unclear if the hackers forged their attack using malware or the traditional denial-of-service method where the target website is flooded with requests until it fails to load for users. Organizations are recommended to install updates for operating systems, software, and firmware as soon as they are released. Additionally, enroll in DDoS (Cloud) Mitigation protection services to prevent such attacks.

5. Microsoft fixes 3 actively exploited zero-days and 77 flaws

Microsoft, on its February 2023 Patch Tuesday, fixed three actively exploited zero-day vulnerabilities and 77 flaws. Among these, 9 vulnerabilities are classified as ‘Critical’ as they allow remote code execution on vulnerable devices.

Windows Graphics Component Remote Code Execution Vulnerability (CVE-2023-21823) affects Microsoft Office app on Android and iOS devices. No user interaction is required to exploit the flaw and it gives the attacker system privileges for complete control over Windows OS systems.

Microsoft Publisher Security Features Bypass Vulnerability (CVE-2023-21715) requires user interaction which could be easily achieved by emailing a link to a web site that hosts a specially crafted file to entice the user to open it. The vulnerability allows a specially crafted document to bypass Office macro policies that block untrusted or malicious files.

Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2023-23376) does not require user interaction and would give the attacker system privileges. Users are advised to install all security updates to mitigate potential threats.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider