Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-21794

Microsoft Edge (Chromium-based) Tampering Vulnerability

CVE-2023-21720

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-23374

Microsoft Publisher Security Features Bypass Vulnerability

CVE-2023-21715

Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” 
According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday

Tuesday, February 14, 2023 13:02

Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.”

According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday and only one vulnerability CVE-2023-21823, a privilege escalation vulnerability, was seen in the wild.

Three of the most “Critical“ vulnerabilities, which Microsoft considers to be “more likely” to be exploited are CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692. These are remote code execution (RCE) vulnerabilities in the Microsoft Protected Extensible Authentication Protocol (PEAP). As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. Almost all Windows versions are vulnerable, including the latest Windows 11.

According to Microsoft the other “Critical“ vulnerabilities are “less likely” to be exploited.  CVE-2023-21716 is a critical Microsoft Word Remote Code Execution Vulnerability which allows an unauthenticated attacker to gain access to execute commands within the application used to open the malicious file.

Developers are at risk due to CVE-2023-21808 a .NET and Visual Studio Remote Code Execution Vulnerability and CVE-2023-21815 also a Visual Studio Remote Code Execution Vulnerability. Both can lead to Arbitrary Code Execution (ACE) .

The last “Critical“ vulnerability which we want to mention is CVE-2023-21803. The vulnerability exists in the way that the Microsoft iSCSI Discovery Service handles certain requests. An attacker might be able to send a specially crafted malicious DHCP discovery request to the iSCSI Discovery Service on 32-bit machines.

The "important" flagged Microsoft Office Security Feature Bypass Vulnerability CVE-2023-21715 is something we want to highlight. This vulnerability allows an attacker to bypass the Mark of the Web (MoTW) policy which usually blocks macro execution for documents originating from the internet. The user would have be enticed to open a malicious file in Microsoft Publisher by the attacker. We highly recommend that users should never open anything that they do not know or trust to be safe.

Talos would also like to highlight three other “Important“ Remote Code Execution vulnerabilities which are affecting the Microsoft Exchange Server.

*   CVE-2023-21529 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21706 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21707 \- Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21710 - Attack complexity low , attacker needs to be an authenticated administrator

There are more vulnerabilities marked as “Important“ in the Microsoft advisory. This includes the Windows Kerberos and Active Directory services and others. A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57907, 61312-61315, 61320, 61321, 61357, 61359. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300416, 300417, 300420, 300438, 300439.

Microsoft Patch Tuesday for February 2023  — Snort rules and prominent vulnerabilities

Tuesday, February 14, 2023 13:02

Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.”

According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday and only three vulnerabilities were seen in the wild. The most serious one is CVE-2023-21823 a Windows Graphics Component Remote Code Execution Vulnerability. Followed by CVE-2023-21715 a Microsoft Publisher Security Features Bypass Vulnerability which we are describing below and CVE-2023-23376 a local Windows Common Log File System Driver Elevation of Privilege Vulnerability.

Three of the most “Critical“ vulnerabilities, which Microsoft considers to be “more likely” to be exploited are CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692. These are remote code execution (RCE) vulnerabilities in the Microsoft Protected Extensible Authentication Protocol (PEAP). As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. Almost all Windows versions are vulnerable, including the latest Windows 11.

According to Microsoft the other “Critical“ vulnerabilities are “less likely” to be exploited.  CVE-2023-21716 is a critical Microsoft Word Remote Code Execution Vulnerability which allows an unauthenticated attacker to gain access to execute commands within the application used to open the malicious file.

Developers are at risk due to CVE-2023-21808 a .NET and Visual Studio Remote Code Execution Vulnerability and CVE-2023-21815 also a Visual Studio Remote Code Execution Vulnerability. Both can lead to Arbitrary Code Execution (ACE) .

The last “Critical“ vulnerability which we want to mention is CVE-2023-21803. The vulnerability exists in the way that the Microsoft iSCSI Discovery Service handles certain requests. An attacker might be able to send a specially crafted malicious DHCP discovery request to the iSCSI Discovery Service on 32-bit machines.

The "important" flagged Microsoft Office Security Feature Bypass Vulnerability CVE-2023-21715 is something we want to highlight. This vulnerability allows an attacker to bypass the Mark of the Web (MoTW) policy which usually blocks macro execution for documents originating from the internet. The user would have be enticed to open a malicious file in Microsoft Publisher by the attacker. We highly recommend that users should never open anything that they do not know or trust to be safe.

Talos would also like to highlight three other “Important“ Remote Code Execution vulnerabilities which are affecting the Microsoft Exchange Server.

*   CVE-2023-21529 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21706 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21707 \- Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21710 - Attack complexity low , attacker needs to be an authenticated administrator

There are more vulnerabilities marked as “Important“ in the Microsoft advisory. This includes the Windows Kerberos and Active Directory services and others. A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57907, 61312-61315, 61320, 61321, 61357, 61359. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300416, 300417, 300420, 300438, 300439.

By Waqas
All infected websites are using the WordPress CMS.
This is a post from HackRead.com Read the original post: Adsense abused: 11,000 sites hacked in a backdoor attack

The campaign has been active since September 2022, and the recent surge in website infections was noted in January 2023.

Sucuri researchers have reported a backdoor that has successfully infected around 11,000 websites in recent months. Here are the details shared by Sucuri in its technical report.

It is a fact that, lately, several Google products have been exploited and abused to spread malware and other malicious components, including **Google Ads**, **Google Home**, and **Google Drive**.

In fact, **a study revealed** that Google Drive accounted for 50% of malicious Office document downloads in 2022.

**Backdoor Redirecting Visitors to Hacked Sites**

According to Sucuri’s research, the backdoor redirects users to sites that show fraudulent views of **Google AdSense ads**. The company’s SiteCheck remote scanner has detected more than 10,890 infected sites. The activity has further intensified recently, with 70 new malicious domains disguised as legitimate in 2023 and 2,600 infected sites discovered on the web.

All the infected websites detected by Sucuri were using **WordPress CMS**. These had an obfuscated PHP script injected into the legitimate files on the websites, such as index.php, wp-activate.php, wp-signup.php, and wp-cron.php, etc.

**How Does the Attack Work?**

In the past two months, Sucuri researchers have identified over 75 pseudo-short URL domains linked with redirected traffic. It must be noted that almost all of the malicious URLs appear to belong to the same **URL-shortening service**. Some even mimic the names of popular shortening services, such as Bitly.

The visitors are redirected to a range of low-quality websites developed on the Question2Answer CMS, and the discussion topics are mostly related to cryptocurrency or **blockchain**.

Researchers believe it could be intentional to advertise new cryptocurrencies in a pump-and-dump, ICO fraud. However, researchers are certain that the primary objective of this ad fraud is to inorganically increase traffic to sites that contain the AdSense ID so that **Google ads** can be displayed for revenue generation.

Image source: Sucuri

**How does It Evade Detection?**

Some of these malicious sites also inject obfuscated code into “wp-blog-header.php.” This code works as a backdoor to ensure the malware evades disinfection attempts. It performs this by loading itself into files that run as soon as the targeted server is restarted.

“Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. This ensures that the environment remains infected until all traces of the malware are dealt with.”

The malware hides its presence by suspending redirections when a visitor logs in as an administrator or visits an infected site within 2 to 6 hours. The malicious code is hidden using Base64 encoding.

**How URL Shorteners Abused in the Attack?**

When the user enters any domain names in their browser, they are redirected to a real URL shortening service, e.g., Cuttly or Bitly, but these are not genuine public URL shorteners. Each domain has a few working URLs that redirect visitors to spammy Q&A sites featuring AdSense monetization.

In a **blog post**, Sucuri researcher Ben Martin stated that the “backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestacklive and place them in files with random names in wp-includes, wp-admin, and wp-content directories.”

The campaign has been active since September 2022, and the recent surge in website infections was noted in January 2023.

“At this point, we haven’t noticed malicious behaviour on these landing pages. However, at any given time, site operators may arbitrarily add malware or start redirecting traffic to other third-party websites,” researchers noted.

1.  **Google Docs exploit to spread phishing** **links**
2.  **Google, Microsoft and Oracle generated most flaws**
3.  **Malware-infected Minecraft modpacks hit Play Store**
4.  **Ad-blocker extension injected ads in Google searches**
5.  **Fake Brave browser site drops malware from Google Ads**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Adsense abused: 11,000 sites hacked in a backdoor attack

Since December 2022, Cisco Talos has been observing an unidentified actor deploying two relatively new threats, the recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims.

New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign

Malicious actors have published more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to infect developer systems with clipper malware.
Software supply chain security company Phylum, which spotted the libraries, said the ongoing activity is a follow-up to a campaign that was initially disclosed in November 2022.
The initial vector entails using

Cryptocurrency / Software Security

Malicious actors have published more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to infect developer systems with clipper malware.

Software supply chain security company Phylum, which spotted the libraries, said the ongoing activity is a follow-up to a campaign that was initially disclosed in November 2022.

The initial vector entails using typosquatting to mimic popular packages such as beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow, among others.

"After installation, a malicious JavaScript file is dropped to the system and executed in the background of any web browsing session," Phylum said in a report published last year. "When a developer copies a cryptocurrency address, the address is replaced in the clipboard with the attacker's address."

This is achieved by creating a Chromium web browser extension in the Windows AppData folder and writing to it the rogue Javascript and a manifest.json file that requests users' permissions to access and modify the clipboard.

Targeted web browsers include Google Chrome, Microsoft Edge, Brave, and Opera, with the malware modifying browser shortcuts to load the add-on automatically upon launch using the "--load-extension" command line switch.

The latest set of Python packages exhibits a similar, if not the same, modus operandi, and is designed to function as a clipboard-based crypto wallet replacing malware. What's changed is the obfuscation technique used to conceal the JavaScript code.

The ultimate goal of the attacks is to hijack cryptocurrency transactions initiated by the compromised developer and reroute them to attacker-controlled wallets instead of the intended recipient.

"This attacker significantly increased their footprint in pypi through automation," Phylum noted. "Flooding the ecosystem with packages like this will continue."

The findings coincide with a report from Sonatype, which found 691 malicious packages in the npm registry and 49 malicious packages in PyPI during the month of January 2023 alone.

The development once again illustrates the growing threat developers face from supply chain attacks, with adversaries relying on methods like typosquatting to trick users into downloading fraudulent packages.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Python Developers Beware: Clipper Malware Found in 450+ PyPI Packages!

Microsoft on Monday attributed a China-based cyber espionage actor to a set of attacks targeting diplomatic entities in South America.
The tech giant's Security Intelligence team is tracking the cluster under the emerging moniker DEV-0147, describing the activity as an "expansion of the group's data exfiltration operations that traditionally targeted government agencies and think tanks in Asia

Cyber Threat Intelligence

Microsoft on Monday attributed a China-based cyber espionage actor to a set of attacks targeting diplomatic entities in South America.

The tech giant's Security Intelligence team is tracking the cluster under the emerging moniker **DEV-0147**, describing the activity as an "expansion of the group's data exfiltration operations that traditionally targeted government agencies and think tanks in Asia and Europe."

The threat actor is said to use established hacking tools such as ShadowPad to infiltrate targets and maintain persistent access.

ShadowPad, also called PoisonPlug, is a successor to the PlugX remote access trojan and has been widely put to use by Chinese adversarial collectives with links to the Ministry of State Security (MSS) and People's Liberation Army (PLA), per Secureworks.

One of the other malicious payloads put to use by DEV-0147 is a webpack loader called **QuasarLoader**, which allows for deploying additional payloads onto the compromised hosts.

Redmond did not disclose the method DEV-0147 might be using to gain initial access to a target environment. That said, phishing and opportunistic targeting of unpatched applications are likely vectors.

"DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command-and-control and data exfiltration," Microsoft said.

DEV-0147 is far from the only China-based advanced persistent threat (APT) to leverage ShadowPad in recent months.

In September 2022, NCC Group unearthed details of an attack aimed at an unnamed organization that leveraged a critical flaw in WSO2 (CVE-2022-29464, CVSS score: 9.8) to drop web shells and activate an infection chain that led to the delivery of ShadowPad for intelligence gathering.

ShadowPad has also been employed by unidentified threat actors in an attack targeting an ASEAN member foreign ministry through the successful exploitation of a vulnerable, and Internet-connected, Microsoft Exchange Server.

The activity, dubbed REF2924 by Elastic Security Labs, has been observed to share tactical associations with those adopted by other nation-state groups such as Winnti (aka APT41) and ChamelGang.

"The REF2924 intrusion set \[...\] represents an attack group that appears focused on priorities that, when observed across campaigns, align with a sponsored national strategic interest," the company noted.

The fact that Chinese hacking groups continue to use ShadowPad despite it being well-documented over the years suggests the technique is yielding some success.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft