Volume 23 – Number 19

Internet Storm Center Spotlight

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft May 2023 Patch Tuesday

Published: 2023-05-09

Last Updated: 2023-05-09 17:41:35 UTC

by Renato Marinho (Version: 1)

This month we got patches for 49 vulnerabilities. Of these, 6 are critical, and 2 are already being exploited, according to Microsoft.

One of the exploited vulnerabilities is a Win32k Elevation of Privilege Vulnerability (CVE-2023-29336). This vulnerability has low attack complexity, low privilege, and none user interaction. The attack vector is local, the CVSS is 7.8, and the severity is Important.

The second exploited vulnerability is Secure Boot Security Feature Bypass Vulnerability (CVE-2023-24932). According to the advisory, to exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy. The CVSS for this vulnerability is 6.7 and its severity is Important.

About the critical vulnerabilities, there is a Remote Code Execution (RCE) affecting Windows Network File System (CVE-2023-24941). According to the advisory, this vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). The advisory also details a mitigation procedure. The CVSS for this vulnerability is 9.8 – the highest for this month.

A second critical vulnerability worth mentioning is an RCE affecting Windows Lightweight Directory Access Protocol (LDAP) (CVE-2023-28283). According to the advisory, an unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service. The attack complexity is high, which means that successful exploitation of this vulnerability requires an attacker to win a race condition. The CVSS for this vulnerability is 8.1.

Read the full entry:

https://isc.sans.edu/diary/Microsoft+May+2023+Patch+Tuesday/29826/

Guildma is now abusing colorcpl.exe LOLBIN

Published: 2023-05-05

Last Updated: 2023-05-05 17:00:59 UTC

by Renato Marinho (Version: 1)Published: 2023-05-05

Last Updated: 2023-05-05 17:00:59 UTC

by Renato Marinho (Version: 1)

While analyzing a Guildma (AKA Astaroth) sample recently uploaded to MalwareBazaar, we came across a chain of LOLBIN abuse. It is not uncommon to see malicious code using the LOLBIN ‘bitsadmin.exe’ to download artifacts from the Internet. However, what is interesting in this case is that Guildma first copies ‘bitsadmin.exe’ to a less suspect path using ‘colorcpl.exe’, another LOLBIN, before executing it.

The ‘colorcpl.exe’ binary is the command line tool to open the Windows Color Management panel. When used without parameters, it just opens the tool. If a file is given as a parameter, ‘colorcpl.exe’ will copy the file to the ‘c:\windows\system32\spool\drivers\color\’ path. This path is writable by any user?—?so there is nothing here related to abusing the binary to access a privileged location. It seems to be a way to not draw the attention of security controls by avoiding using the ‘copy’ command.

Read the full entry:

https://isc.sans.edu/diary/Guildma+is+now+abusing+colorcplexe+LOLBIN/29814/

Infostealer Embedded in a Word Document

Published: 2023-05-04

Last Updated: 2023-05-04 05:33:19 UTC

by Xavier Mertens (Version: 1)

When attackers design malicious documents, one of their challenges is to make the potential victim confident to perform dangerous actions: click on a link, disable a security feature, etc. The best example is probably VBA macros in Microsoft Office documents. Disabled by default, the attacker must make the user confident to enable them by clicking on the “yellow ribbon” on top of the document.

Yesterday I found a malicious document that implements another approach. The SHA256 is c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12 and the VT score is 27/59.

Read the full entry:

https://isc.sans.edu/diary/Infostealer+Embedded+in+a+Word+Document/29810/