INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Microsoft April 2023 Patch Tuesday
Published: 2023-04-11
Last Updated: 2023-04-11 17:45:46 UTC
by Renato Marinho (Version: 1)
This month we got patches for 114 vulnerabilities. Of these, 7 are critical, and 1 is already being exploited, according to Microsoft.
The exploited vulnerability is an Elevation of Privilege affecting the Windows Common Log File System Driver (CVE-2023-28252). The advisory says that the vulnerability severity is important, the attack vector is local, and the attack complexity is low. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. As this vulnerability is being exploited, it is recommended that you apply the patch as soon as possible. The CVSS for this vulnerability is 7.8.
Among critical vulnerabilities, there is a Remote Code Execution (RCE) affecting Microsoft Message Queuing (MSMQ) (CVE-2023-21554). MSMQ technology enables applications running at different times to communicate across heterogeneous networks and systems that may be temporarily offline. To exploit this vulnerability, an attacker must send a specially crafted malicious MSMQ packet to an MSMQ server. This could result in remote code execution on the server side. The MSMQ service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. You can check to see if there is a service running named Message Queuing, and TCP port 1801 is listening on the machine. The CVSS for this vulnerability is 9.8.
There is also an RCE affecting DHCP Server Service (CVE-2023-28231). According to the advisory, an authenticated attacker could exploit this vulnerability by leveraging a specially crafted RPC call to the DHCP service. Successful exploitation of this vulnerability requires that an attacker first gain access to the restricted network before running an attack. The CVSS for this vulnerability is 8.8.
Read the full entry:
https://isc.sans.edu/diary/Microsoft+April+2023+Patch+Tuesday/29736/
Apple Patching Two 0-Day Vulnerabilities in iOS and macOS
Published: 2023-04-07
Last Updated: 2023-04-07 19:17:21 UTC
by Johannes Ullrich (Version: 1)
Apple today released updates for iOS and macOS (as well as Safari). The update fixes two vulnerabilities that are already being exploited:
- CVE-2023-28205: This vulnerability could lead to a "zero-click" exploit as a user visits a malicious web page.
- CVE-2023-28206: The first vulnerability "only" provides code execution in the Safari sandbox. But this second vulnerability could be used to escape the sandbox and achieve full system access. We rate this as "important" as it implements a privilege escalation. The full potential of the vulnerability is only realized with a remote code execution vulnerability like CVE-2023-28205.
These two vulnerabilities are likely going to be used together. Both vulnerabilities were reported by the Google TAG and the Amnesty International Security Lab. This indicates that they were used in targeted attacks, likely by state-sponsored spyware. I hope either will provide us with more details.
Read the full entry:
https://isc.sans.edu/diary/Apple+Patching+Two+0Day+Vulnerabilities+in+iOS+and+macOS/29726/
Another Malicious HTA File Analysis - Part 2
Published: 2023-04-10
Last Updated: 2023-04-10 08:13:31 UTC
by Didier Stevens (Version: 1)
The first part in this series can be found here: https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+1/29674
In the first part, we ended with a decoded PowerShell script. We will now start to decrypt the payload found inside this PowerShell script...
Read the full entry:
https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+2/29676/