Microsoft SharePoint Denial of Service Vulnerability

CVE-2023-33129

Microsoft Excel Remote Code Execution Vulnerability

CVE-2023-33137

Microsoft Corp. today released software updates to fix dozens of security vulnerabilities in its Windows operating systems and other software. This month's relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn't marred by the active exploitation of a zero-day vulnerability in Microsoft's products.

**Microsoft Corp.** today released software updates to fix dozens of security vulnerabilities in its **Windows** operating systems and other software. This month’s relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn’t marred by the active exploitation of a zero-day vulnerability in Microsoft’s products.

June’s Patch Tuesday features updates to plug at least 70 security holes, and while none of these are reported by Microsoft as exploited in-the-wild yet, Redmond has flagged several in particular as “more likely to be exploited.”

Top of the list on that front is CVE-2023-29357, which is a “critical” bug in **Microsoft SharePoint Server** that can be exploited by an unauthenticated attacker on the same network. This SharePoint flaw earned a CVSS rating of 9.8 (10.0 is the most dangerous).

“An attacker able to gain admin access to an internal SharePoint server could do a lot of harm to an organization,” said **Kevin Breen**, director of cyber threat research at **Immersive Labs**. “Gaining access to sensitive and privileged documents, stealing and deleting documents as part of a ransomware attack or replacing real documents with malicious copies to further infect users in the organization.”

There are at least three other vulnerabilities fixed this month that earned a collective 9.8 CVSS score, and they all concern a widely-deployed component called the **Windows Pragmatic General Multicast** (PGM), which is used for delivering multicast data — such as video streaming or online gaming.

Security firm **Action1** says all three bugs (CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363) can be exploited over the network without requiring any privileges or user interaction, and affected systems include all versions of Windows Server 2008 and later, as well as Windows 10 and later.

It wouldn’t be a proper Patch Tuesday if we also didn’t also have scary security updates for organizations still using **Microsoft Exchange** for email. Breen said this month’s Exchange bugs (CVE-2023-32031 and CVE-2023-28310) closely mirror the vulnerabilities identified as part of ProxyNotShell exploits, where an authenticated user in the network could exploit a vulnerability in the Exchange to gain code execution on the server.

Breen said while Microsoft’s patch notes indicate that an attacker must already have gained access to a vulnerable host in the network, this is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other internal targets.

“Just because your Exchange server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said, noting that Microsoft says the Exchange flaws are not difficult for attackers to exploit.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Microsoft Patch Tuesday, June 2023 Edition

The average cost of a data breach is $4.35 million. Understand the power of public key infrastructure (PKI) and its role in encrypting data and battling breaches.

Identity is the key to unlocking zero-trust environments, but it is also the key to a lucrative payday for cybercriminals selling prized company data and personal information.

In recent years, data breaches (and their impact on companies and affected individuals) have made headlines. Data breaches have affected a variety of industries including financial services organizations Equifax and CapitalOne, energy company Colonial Pipeline, and fast-food chain Chick-Fil-A. While these companies were well-known before their data breaches, if the world did not know their names prior to making headlines for breaches, they do now.

**Understanding the Power of PKI**

The best way to protect anything is by keeping it under lock and key, but for information stored in the cloud or exchanged electronically, a physical lock and key is futile. Public key infrastructure (PKI) serves as a cybersecurity lock-and-key system that protects data and resources, as well as authenticates access, secures communications, and provides data integrity and non-repudiation. PKI is widely used in secure email communication, digital signatures, secure Web browsing (HTTPS), virtual private networks (VPNs), and secure online transactions, and other applications.

At PKI's core is asymmetric cryptography, which uses key pairs: a public key and a private key. The public key is widely distributed and used to encrypt information while the corresponding private key is kept secret and used for decryption. Once these keys are inserted into individual devices and applications, they work to encrypt data and authenticate connected devices and applications.

Imagine your organization has a mailroom that houses feedback boxes for all the departments in the company. Each department's feedback box and the mailroom have a public key that allows anyone in the company to unlock any department's box and drop a message into it. However, the head of each department has a private key that only they possess. This private key is mathematically related to the public key and is the only key in the entire company that can unlock a department's feedback box to access messages or decrypt anything in the box that is encrypted.

**How PKI Encrypts Data**

Since PKI uses mathematically related keys to encrypt and decrypt data, only the private key can decrypt data that is encrypted with the public key. Therefore, data in transit cannot be intercepted, and when at rest on a device or database, encrypted data cannot be read even if stolen because thieves will not have the private key to unlock it.

If you deploy and use PKI across a corporate network, you can establish a zero-trust environment by authenticating and encrypting everything that is written to or retrieved from a server or device. For example, if your website uses a TLS/SSL certificate to encrypt communications between a customer's browsers and your website's server, you are using PKI encryption. As the backbone of enterprise network security, deploying PKI is extremely complex.

**Benefits of Cloud-Based PKI**

Deploying and maintaining PKI requires a lot of resources and talent, but it's critical for protecting company data. Many organizations find deploying PKI in the cloud and as a service (PKIaaS) to be a better option than doing it all in-house. Cloud PKIaaS offers several benefits for enterprises of all sizes, such as:

**Rapid deployment:** PKI has come a long way since its inception. While it used to be a system that required on-premises deployment, it can now be deployed entirely through the cloud. Cloud PKI can be integrated into existing security systems and operational within a matter of days.

**Agility:** PKI has been around for decades and is already deployed in most infrastructures with Microsoft Certificate Authority (CA). PKIaaS provides a straightforward way to migrate from Microsoft CA without changing your enterprise infrastructure.

**Scalability:** Cloud PKIaaS enables organizations to scale as they grow and expand use cases without incurring additional hardware or infrastructure costs.

**Security:** Not only is encrypted data useless without the decryption key but so are your keys to the kingdom: private keys. PKIaaS protects private keys in Federal Information Process Standards (FIPS)-compliant hardware security modules (HSMs) stored in geographically dispersed data centers capable of withstanding nuclear attacks.

**Cost savings:** By leveraging the existing capabilities of your organization's devices, software, and hardware, cloud PKI maximizes your IT investment by eliminating costs of acquiring new devices or tools.

With the average cost of a data breach at $4.35 million in 2022, deploying PKI and encrypting data are more cost-effective than becoming the victim of a breach. For more information on PKI encryption, we recommend reading our Encrypt Everything e-book for strategies to help develop a data breach battle plan.

**About the Author**

    

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than 10 years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).

Harness the Power of PKI to Battle Data Breaches

Microsoft disclosed these issues and patched them as part of June’s monthly security release for the company.

Tuesday, June 13, 2023 15:06

Cisco Talos recently discovered two vulnerabilities in the Microsoft Excel spreadsheet management software that could allow a malicious actor to execute arbitrary code on the targeted machine.

Microsoft disclosed these issues and patched them as part of June’s monthly security release for the company.

One of the vulnerabilities, TALOS-2023-1730 (CVE-2023-32029), exists in the FreePhisxdb function of Excel. An attacker could exploit this vulnerability by tricking the targeted user into opening a specially crafted file. Then, they can manipulate the heap to gain the ability to execute arbitrary code.

TALOS-2023-1734 (CVE-2023-33133) works similarly, but in this case, causes an out-of-bounds read that turns into an out-of-bounds write, which in turn, could lead to memory corruption and, finally, arbitrary code execution.

Microsoft noted that although these vulnerabilities are listed as “remote code execution,” the attack itself is carried out locally. Both vulnerabilities have a CVSS severity score of 7.8 out of 10 and are considered to be “less likely” to be exploited, according to Microsoft.

Cisco Talos worked with Microsoft to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Microsoft Office Excel 2019 Plus, version 16.0.16130.20218. Talos tested and confirmed this version of Excel could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61503, 61504, 61574 and 61575. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Two remote code execution vulnerabilities disclosed in Microsoft Excel

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild.

Tuesday, June 13, 2023 14:06

Microsoft released its monthly security update Tuesday, disclosing 69 vulnerabilities across its suite of products and software. Five of these vulnerabilities are considered to be critical, 45 of them are listed as being high severity, 17 of them are medium severity and two are of low severity.

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild. June is also closer to an average month for Microsoft’s security update after only disclosing 40 vulnerabilities last month, which was nearly a three-year low.

Cisco Talos discovered two vulnerabilities in Microsoft Excel that the company patched Tuesday. These are important-severity remote code execution vulnerabilities that are triggered if the targeted user opens an attacker-created file.

Three critical vulnerabilities — CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 — in the Windows Pragmatic General Multicast (PGM) server environment with a severity score of 9.8 could lead to remote code execution. In a Windows Pragmatic General Multicast (PGM)  server environment where the Windows message queuing service is running, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. Microsoft has advised users to refer to a setting, standard configuration, or general best practice existing in a default state that could reduce the severity of exploitation of this vulnerability.

CVE-2023-29357 is an elevation of privilege vulnerability in Microsoft SharePoint Server that also has a severity score of 9.8. An attacker who successfully exploits this vulnerability could gain administrator-level privileges. They could have access to spoof the JSON Web Token \[JWT\] authentication tokens and use them to execute a network attack that bypasses the authentication and allows them to gain access to the privileges of an authenticated user. The attacker requires no user interaction to exploit this vulnerability. Microsoft has advised that customers should apply all updates offered for the SharePoint Enterprise server. On-premises customers can enable the AMSI feature, which protects them from this vulnerability.

Talos would also like to highlight a few high-severity vulnerabilities that Microsoft considers “more likely” to be exploited.

A high-severity remote code execution vulnerability, CVE-2023-28310, exists in Microsoft Exchange Server. An authenticated attacker on the same intranet as the Exchange Server can achieve remote code execution via a PowerShell remote session.

CVE-2023-29358, an elevation of privilege vulnerability in the Windows graphics device interface (GDI), is a use-after-free vulnerability in the Win32k kernel driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2023-29361 could also allow an attacker to gain SYSTEM privileges if they exploit a use-after-free issue in the Windows Cloud Files Mini Filter Driver.

Microsoft Exchange server contains a high-severity remote code execution vulnerability, CVE-2023-32031, with a severity score of 8.8. An attacker successfully exploiting this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

Another elevation of privilege vulnerability, though only considered "important," CVE-2023-29371, exists in the Windows Win32k kernel driver. An attacker could modify a curve without updating the cCurves values, which leads to an out-of-bounds write in win32kfull when the curves’ edges get processed, ultimately giving them system privileges.

One medium-severity worth noting is CVE-2023-29352, a security feature bypass vulnerability in Windows Remote Desktop. An attacker who successfully exploited this vulnerability could bypass certificate validation during a remote desktop connection by creating a validly signed “.RDP” file to bypass warning prompts when executed.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their rule set by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61907 - 61911, 61915, 61916, 61933  - 61935 and 61937 - 61939. The Snort 3 rules released for these vulnerabilities are 300592, 300593, 300595 and 300600.

Microsoft discloses 5 critical vulnerabilities in June's Patch Tuesday, no zero-days

Potential time-of-check to time-of-use (TOCTOU) vulnerabilities have been identified in the BIOS for certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure.

CVE-2022-31635: HP PC BIOS November 2022 Security Updates for Potential TOCTOU Vulnerabilities

A novel multi-stage loader called DoubleFinger has been observed delivering a cryptocurrency stealer dubbed GreetingGhoul in what's an advanced attack targeting users in Europe, the U.S., and Latin America.
"DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger's loader stages,"

Crimeware / Cryptocurrency

A novel multi-stage loader called **DoubleFinger** has been observed delivering a cryptocurrency stealer dubbed GreetingGhoul in what's an advanced attack targeting users in Europe, the U.S., and Latin America.

"DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger's loader stages," Kaspersky researcher Sergey Lozhkin said in a Monday report.

The starting point of the attacks is a modified version of espexe.exe – which refers to Microsoft Windows Economical Service Provider application – that's engineered to execute shellcode responsible for retrieving a PNG image file from the image hosting service Imgur.

The image employs steganographic trickery to conceal an encrypted payload that triggers a four-stage compromise chain which eventually culminates in the execution of the GreetingGhoul stealer on the infected host.

A notable aspect of GreetingGhoul is its use of Microsoft Edge WebView2 to create counterfeit overlays on top of legitimate cryptocurrency wallets to siphon credentials entered by unsuspecting users.

DoubleFinger, in addition to dropping GreetingGhoul, has also been spotted delivering Remcos RAT, a commercial trojan that has been widely used by threat actors to strike European and Ukrainian entities in recent months.

The analysis "reveals a high level of sophistication and skill in crimeware development, akin to advanced persistent threats (APTs)," Lozhkin noted.

"The multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of process doppelgänging for injection into remote processes all point to well-crafted and complex crimeware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beware: New DoubleFinger Loader Targets Cryptocurrency Wallets with Stealer

"Dozens" of organizations across the world have been targeted as part of a broad business email compromise (BEC) campaign that involved the use of adversary-in-the-middle (AitM) techniques to carry out the attacks.
"Following a successful phishing attempt, the threat actor gained initial access to one of the victim employee's account and executed an 'adversary-in-the-middle' attack to bypass

"Dozens" of organizations across the world have been targeted as part of a broad business email compromise (BEC) campaign that involved the use of adversary-in-the-middle (AitM) techniques to carry out the attacks.

"Following a successful phishing attempt, the threat actor gained initial access to one of the victim employee's account and executed an 'adversary-in-the-middle' attack to bypass Office365 authentication and gain persistence access to that account," Sygnia researchers said in a report shared with The Hacker News.

"Once gaining persistence, the threat actor exfiltrated data from the compromised account and used his access to spread the phishing attacks against other victim's employees along with several external targeted organizations."

The findings come less than a week after Microsoft detailed a similar combination of an AitM phishing and a BEC attack aimed at banking and financial services organizations.

BEC scams typically entail tricking a target over email into sending money or divulging confidential company information. Besides personalizing the emails to the intended victim, the attacker can also impersonate a trusted figure to achieve their goals.

This, in turn, can be achieved by seizing control of the account through an elaborate social engineering scheme, following which the scammer emails the company's clients or suppliers fake invoices that request payment to a fraudulent bank account.

In the attack chain documented by Sygnia, the attacker was observed sending a phishing email containing a link to a purported "shared document" that ultimately redirected the victim to an AitM phishing page designed to harvest the entered credentials and one-time passwords.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

What's more, the threat actors are said to have abused the temporary access to the compromised account to register a new multi-factor authentication (MFA) device in order to gain a persistent remote foothold from a different IP address located in Australia.

"In addition to exfiltration of sensitive data from the victim's account, the threat actor used this access to send new phishing emails containing the new malicious link to dozens of the client's employees as well as additional targeted organizations," Sygnia researchers said.

The Israeli cybersecurity company further said the phishing mails spread in a "worm-like fashion" from one targeted firm to the other and among employees within the same company. The exact scale of the campaign is currently unknown.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Adversary-in-the-Middle Attack Campaign Hits Dozens of Global Organizations

By Waqas
BreachForums is already online with a new domain, gaining attraction from members, authorities, and the cybersecurity community.
This is a post from HackRead.com Read the original post: BreachForums Returns Under the Control of ShinyHunters Hackers

The return of BreachForums was announced by Baphomet on Telegram, one of the administrators of the original forum.

BreachForums, the well-known cybercrime and hacking forum that was shut down months ago, has reemerged under new management. The notorious hacking group ShinyHunters has assumed control of the revived platform, raising alarm among cybersecurity experts and law enforcement agencies worldwide.

Confirmation of BreachForums’ return under the management of **ShinyHunters** came through Baphomet, one of the administrators of the original forum. Baphomet, who remains an active figure within the hacking community, announced the resurgence of BreachForums in a PGP-signed message, leaving no room for doubt about its authenticity.

_(Editor’s note: You have been warned – use the forum at your own risk.)_

Furthermore, a Telegram account using the alias ShinyHunters (@shinycorp) has emerged alongside Baphomet, taking charge of addressing the previous users of BreachForums. The account has already begun disseminating information and updates related to the forum’s operations, attracting attention from both potential members and concerned individuals.

Baphomet’s PGP-Signed message and ShinyHunters on Telegram (Hackread.com)

BreachForums, in its previous incarnation, served as a notorious hub for cybercriminals to exchange stolen data, discuss hacking techniques, and orchestrate illicit activities. The return of the forum, now under the auspices of ShinyHunters, has sent shockwaves through the cybersecurity community.

ShinyHunters, a hacking group infamous for their involvement in several high-profile data breaches, has consistently targeted organizations to steal sensitive information for monetary gain by **selling user data** on Clear and the dark web.

The resurgence of BreachForums under ShinyHunters’ control has raised concerns about the potential implications for global cybersecurity. Law enforcement agencies and cybersecurity experts fear an upswing in cyberattacks, data breaches, and the facilitation of illegal activities on the platform.

The reincarnation of BreachForums as posted by ShinyHunters (Image: Hackread.com)

As news of the forum’s return spreads, organizations and individuals are urged to remain vigilant regarding their online security. It is crucial to implement strong security measures, regularly update passwords, and exercise caution when sharing personal information or engaging in online discussions.

**What Happened to Old BreachForums?**

The original BreachForums emerged as an alternative to the **seized RaidForums** but was compelled to cease operations following the arrest of its owner, Conor Brian Fitzpatrick, also known as Pompompurin or Pom. Fitzpatrick, a 2021 graduate of Peekskill High School, was apprehended by the FBI.

Subsequently, the forum remained offline, prompting its members to convene in a Telegram group named “The Jacuzzi” to discuss the forum’s future. It is important to highlight that the FBI was unable to access the forum’s domain, preventing its seizure.

**About ShinyHunters**

ShinyHunters have gained prominence for their involvement in high-profile data breaches. They are known for targeting various organizations, including large corporations and popular websites.

ShinyHunters first gained attention in 2020 when they were linked to a series of data breaches, such as the **breaches of Tokopedia**, a popular Indonesian online marketplace, and **Microsoft’s GitHub repository**. In these incidents, they reportedly accessed and leaked millions of user records.

The group gained further notoriety by selling stolen data on underground hacking forums and dark web marketplaces. They typically target organizations with large user bases and sensitive data, including personally identifiable information (PII), login credentials, and financial details.

While the exact identity of ShinyHunters remains unknown, their activities and the scale of the breaches they have been associated with have raised concerns about cybersecurity and data protection.

**The Arrest and Extradition of Alleged ShinyHunters Member**

In June 2022, **Hackread.com reported** how authorities made an arrest at the Rabat international airport. The detainee was identified as Sébastien Raoult, a 21-year-old French citizen from Epinal City, France. Raoult is believed to be a member of the notorious hacking group known as ShinyHunters.

However, in January 2023, **reports emerged** stating that Raoult, also known by the alias Sezyo, had been extradited to the United States. He appeared in a Seattle federal court and pleaded not guilty to the charges against him.

Despite Raoult’s arrest, concerns persist regarding the resurgence of cyber threats associated with the ShinyHunters group. One significant cause for worry is the return of BreachForums, a platform previously exploited by the group to trade stolen data. This development poses a substantial cybersecurity threat to unsuspecting users and businesses.

In light of the past activities of ShinyHunters, organizations that have been targeted by this group must take immediate action to fortify their security systems. Strengthening security measures and implementing robust protocols are crucial steps to safeguard user data and prevent future attacks.

**RELATED ARTICLES**

1.  ShinyHunters Hack Google-funded delivery service Dunzo
2.  ShinyHunters selling 368m users records stolen from 26 firms
3.  ShinyHunters Hack Image stock site 123RF Leak 8.3m user data
4.  ShinyHunters leak database of Indian wedding site WedMeGood
5.  Raidforums Database Leak: Data of 460,000 Users Dumped Online

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#microsoft