INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Passive detection of internet-connected systems affected by vulnerabilities from the CISA KEV catalog
Published: 2023-01-11
Last Updated: 2023-01-11 10:46:41 UTC
by Jan Kopriva (Version: 1)
CISA’s Know Exploited Vulnerabilities (KEV) catalog is a wonderful resource for vulnerability and patch management. If you have not come across it yet, it is – as the name suggests – a list of vulnerabilities that are currently known to be actively exploited in the wild, which is published by the US Cybersecurity & Infrastructure Agency (CISA)[1]. It was started back in 2021[2] and currently contains 870 vulnerabilities[3].
Although it was primarily intended for US federal institutions, which are required to remediate vulnerabilities listed in the catalog within certain timeframes, it quickly became an important part of vulnerability and patch management processes in many organizations around the world. Since the KEV catalog covers current, actively exploited vulnerabilities, it makes sense to prioritize them in both discovery of affected systems and their patching, especially when it comes to devices that are exposed to the internet.
For organizations with vulnerability management programs of (almost) any maturity in place, the identification of their own systems affected by vulnerabilities listed in the KEV catalog is quite straightforward, as any up-to-date vulnerability scanner/vulnerability management solution will probably be able to identify all of them. For organizations that lack any active vulnerability scanning capabilities, or for researchers or security teams who would like to monitor larger areas of the internet to see how many systems in them are affected by vulnerabilities included in the KEV catalog, it is not as straightforward.
Read the complete entry:
Microsoft January 2023 Patch Tuesday
Published: 2023-01-10
Last Updated: 2023-01-10 18:47:29 UTC
by Renato Marinho (Version: 1)
In the first Patch Tuesday of 2023, we got patches for 98 vulnerabilities. Of these, 11 are critical, 1 was previously disclosed, and 1 is already being exploited, according to Microsoft.
The zero-day is an Elevation of Privilege Vulnerability in Windows Advanced Local Procedure Call (ALPC) (CVE-2023-21674). According to the advisory, exploitation of this vulnerability could lead to a browser sandbox escape and give the attacker SYSTEM privileges. This vulnerability deserves prioritization as it is already being exploited. The CVSS of this vulnerability is 8.8, the higher this month.
The previously disclosed is a privilege elevation vulnerability affecting Windows SMB Witness Service (CVE-2023-21549). According to the advisory, to exploit this vulnerability, an attacker could execute a specially crafted malicious script that executes an RPC call to an RPC host. This could result in elevation of privilege on the server. An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to privileged accounts only. The CVSS of this vulnerability is 8.8 as well.
There is a third critical elevation of privilege vulnerability with CVSS 8.8. This one affects Microsoft Cryptographic Services (CVE-2023-21561). According to the advisory, a locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM.
Amongst critical vulnerabilities, there are 7 remote code execution, 3 elevation of privilege and 1 security feature bypass. None of the critical vulnerabilities is marked as “Exploitation More Likely” for the Microsoft exploitability assessment.
Read the complete entry:
https://isc.sans.edu/diary/Microsoft+January+2023+Patch+Tuesday/29420/
AutoIT Remains Popular in the Malware Landscape
Published: 2023-01-06
Last Updated: 2023-01-06 07:06:18 UTC
by Xavier Mertens (Version: 1)
Yesterday Brad wrote an interesting diary about a piece o malware based on AutoIT. Funny, I was also analyzing a sample that has been written in the same language. I don’t know exactly the source (it was spotted via a hunting ruile) but it seems to target the same people (based on the file name). Mine was delivered in a RAR archive called “doc-Impostos_514281.rar” (SHA256:84a35910ad7acb1455695be7aced111356fac9abc818f9ae0859677b07ac0d04). The VT score is very low: 1/61.
Read the complete entry:
https://isc.sans.edu/diary/AutoIT+Remains+Popular+in+the+Malware+Landscape/29408/