INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
June 2023 Microsoft Patch Tuesday
Last Updated: 2023-06-13 18:30:28 UTC
by Johannes Ullrich (Version: 1)
Today's Microsoft patch Tuesday addresses 94 vulnerabilities. This includes 14 Chromium vulnerabilities patched in Microsoft Edge, and five GitHub vulnerabilities. Six of these vulnerabilities are rated as critical.
Three critical vulnerabilities are remote code execution vulnerabilities related to the Windows Pragmatic Multicast (PGM) service. Past PGM vulnerabilities were related to the Microsoft Message Queue (MSMQ), for example, CVE-2023-28250, which was patched in April.
Two of the important vulnerabilities are caused by Microsoft Exchange. Exploitation requires authentication, so these remote code execution vulnerabilities are only regarded as important. But based on history with similar flaws, this issue is worth watching.
A critical vulnerability patched in Sharepoint allows the spoofing of JWT authentication tokens to gain access as an authenticated user.
This month, none of the vulnerabilities were made public before patch Tuesday, and none of them are already exploited.
Read the full entry: https://isc.sans.edu/diary/June+2023+Microsoft+Patch+Tuesday/29942/
Geoserver Attack Details: More Cryptominers against Unconfigured WebApps
Last Updated: 2023-06-12 12:46:13 UTC
by Johannes Ullrich (Version: 1)
Last week, I noted increased scans against "GeoServer." GeoServer is an open-source Java application with a simple web-based interface to share geospatial data like maps.
I followed our usual playbook of redirecting these scans to an instance of GeoServer. Geoserver had a few vulnerabilities in the past. I installed an older version of GeoServer to verify if the vulnerability was exploited. However, it looks like a vulnerability wasn't necessary. Instead, similar to what we have seen with NiFi recently, the attacker is just using a built-in code execution feature, and the default install, as deployed by me, did not require credentials.
GeoServer was installed in a docker container, which prevented any actual execution of the attack code. The container did not provide tools like curl to download additional payload. Instead, I downloaded the payloads later manually.
Soon after I configured the honeypot, several exploit requests arrived from 126.96.36.199. These requests took advantage of the Web Processing Server (WPS).
Undetected PowerShell Backdoor Disguised as a Profile File
Last Updated: 2023-06-09 08:05:43 UTC
by Xavier Mertens (Version: 1)
PowerShell remains an excellent way to compromise computers. Many PowerShell scripts found in the wild are usually obfuscated. Most of the time, this helps to have the script detected by fewer antivirus vendors. Yesterday, I found a script that scored 0/59 on VT! Let’s have a look at it.
The file was found with the name « Microsoft.PowerShell_profile.ps1 ». The attacker nicely selected this name because this is a familiar name used by Microsoft to manage PowerShell profiles. You may compare this to the « .bashrc » on Linux. It’s a way to customize your environment. Everything you launch a PowerShell, it will look for several locations, and if a file is found, it will execute it. Note that it’s also an excellent way to implement persistence because the malicious code will be re-executed every time a new PowerShell is launched. It’s listed as T1546.013 in the MITRE framework.
Let’s reverse the script (SHA256: a3d265a0ab00466aab978d0ccf94bb48808861b528603bddead6649eea7c0d16). When opened in a text editor, we can see that it is heavily obfuscated...