Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Apple Patches Exploited Vulnerabilities in iOS/iPadOS, macOS, watchOS and Safari

Published: 2023-06-22

Last Updated: 2023-06-22 07:12:39 UTC

by Johannes Ullrich (Version: 1)

Apple released iOS, macOS, and watchOS updates, patching three vulnerabilities already being exploited. Two vulnerabilities affect WebKit, leading to a Safari patch for older operating systems.

The two WebKit issues (CVE-2023-32439 and CVE-2023-32435) can be used to execute arbitrary code as a user visits a malicious web page. The third vulnerability, CVE-2023-32434, can be used to elevate privileges after the initial code execution...

Read the full entry: https://isc.sans.edu/diary/Apple+Patches+Exploited+Vulnerabilities+in+iOSiPadOS+macOS+watchOS+and+Safari/29972/

Kazakhstan - the world's last SSLv2 superpower... and a country with potentially vulnerable last-mile internet infrastructure

Published: 2023-06-28

Last Updated: 2023-06-28 06:32:20 UTC

by Jan Kopriva (Version: 1)

In my last Diary, we looked at internet-connected web servers, which still support SSL version 2.0. Since this cryptographic protocol was deprecated all the way back in 2011, one might not think that there would be many such devices left on the internet, nevertheless, we have shown that there still appear to be over 460,000 of them.

Last week, I was talking to Justin Searle, one of our fellow SANS instructors, about the SSLv2 situation, and Justin raised a good point about how it might be interesting to learn what the devices are and where they are located… So, I have decided to find out – I did a quick analysis with the help of Shodan, and the results turned out to be quite interesting indeed!

While web servers which support SSLv2 are located in many countries all over the world, as the following image shows, we can clearly see that there are “hot spots” where their concentration is highest.

Read the full entry: https://isc.sans.edu/diary/Kazakhstan+the+worlds+last+SSLv2+superpower+and+a+country+with+potentially+vulnerable+lastmile+internet+infrastructure/29988/

The Importance of Malware Triage

Published: 2023-06-27

Last Updated: 2023-06-27 18:49:59 UTC

by Xavier Mertens (Version: 1)

When dealing with malware analysis, you like to get "fresh meat". Just for hunting purposes or when investigating incidents in your organization, it’s essential to have a triage process to reduce the noise and focus on really interesting files. For example, if you detect a new sample of Agent Tesla, you don’t need to take time to investigate it deeply. Just extract IOCs to share with your colleagues. From a business point of view, you don’t have time to analyze all samples!

How to perform your malware triage? It will help if you have tools for this (executed from a sandbox). There are a lot of tools to achieve this. Still, another critical element is "automation": Your collected samples must feed a pipe of tools that will try to guess the malware family, extract config, … and why not archive and index everything? For this purpose, I'm using a local instance of mwdb (MalwareDB) coupled with karton. For example, I'm extracting samples from catch-all mailboxes and sending them to the triage process via the REST API's...

Red the full entry: https://isc.sans.edu/diary/The+Importance+of+Malware+Triage/29984/

Internet Storm Center Entries


Email Spam with Attachment Modiloader (2023.06.24)

https://isc.sans.edu/diary/Email+Spam+with+Attachment+Modiloader/29978/

Word Document with an Online Attached Template (2023.06.23)

https://isc.sans.edu/diary/Word+Document+with+an+Online+Attached+Template/29976/

Qakbot (Qbot) activity, obama271 distribution tag (2023.06.22)

https://isc.sans.edu/diary/Qakbot+Qbot+activity+obama271+distribution+tag/29968/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.



CVE-2023-32434 - Apple iOS. iPadOS, macOS, and watchOS contain an integer overflow vulnerability that could allow an application to execute code with kernel privileges.

Product: Multiple Apple products

CVSS Score: 0

** KEV since 2023-06-23 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32434  

NVD References:

- https://support.apple.com/en-us/HT213808    

- https://support.apple.com/en-us/HT213809    

- https://support.apple.com/en-us/HT213810    

- https://support.apple.com/en-us/HT213811    

- https://support.apple.com/en-us/HT213812    

- https://support.apple.com/en-us/HT213813    

- https://support.apple.com/en-us/HT213814  




CVE-2023-32435 - Apple iOS and iPadOS WebKit contain a memory corruption vulnerability that leads to code execution when processing web content.

Product: Apple iOS and macOS

CVSS Score: 0

** KEV since 2023-06-23 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32435

NVD References:  

- https://support.apple.com/en-us/HT213670    

- https://support.apple.com/en-us/HT213671    

- https://support.apple.com/en-us/HT213676    

- https://support.apple.com/en-us/HT213811




CVE-2023-32439 - Apple iOS, iPadOS, macOS, and Safari WebKit contain a type confusion vulnerability that leads to code execution when processing maliciously crafted web content.

Product: Multiple Apple products

CVSS Score: 0

** KEV since 2023-06-23 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32439  

NVD References:  

- https://support.apple.com/en-us/HT213811    

- https://support.apple.com/en-us/HT213813    

- https://support.apple.com/en-us/HT213814     

- https://support.apple.com/en-us/HT213816




CVE-2023-20867 - VMware Tools contains an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. An attacker must have root access over ESXi to exploit this vulnerability.

Product: VMware Tools

CVSS Score: 3.9

** KEV since 2023-06-23 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20867  

NVD References: https://core.vmware.com/cve-2023-20867-questions-answers 




CVE-2023-20887 - VMware Aria Operations for Networks (formerly vRealize Network Insight) contains a command injection vulnerability that allows a malicious actor with network access to perform an attack resulting in remote code execution.

Product: VMware Aria operations for Networks

CVSS Score: 9.8

** KEV since 2023-06-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20887  

NVD References: https://www.vmware.com/security/advisories/VMSA-2023-0012.html




CVE-2023-27992 - Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request.

Product: Multiple Zyxel NAS devices

CVSS Score: 9.8

** KEV since 2023-06-23 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27992

NVD References:  https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products




CVE-2020-35730 - Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.

Product: Roundcube Webmail

CVSS Score: 6.1

** KEV since 2023-06-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-35730

NVD References: https://roundcube.net/news/2020/12/27/security-updates-1.4.10-1.3.16-and-1.2.13




CVE-2020-12641 - Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

Product: Roundcube Webmail

CVSS Score: 9.8

** KEV since 2023-06-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-12641

NVD References: https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10




CVE-2021-44026 - Roundcube Webmail is vulnerable to SQL injection via search or search_params.

Product: Roundcube Webmail  

CVSS Score: 9.8

** KEV since 2023-06-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-44026

NVD References:  https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released




CVE-2016-9079 - Mozilla Firefox, Firefox ESR, and Thunderbird contain a use-after-free vulnerability in SVG Animation, targeting Firefox and Tor browser users on Windows.

Product: Mozilla Firefox, Firefox ESR, and Thunderbird

CVSS Score: 7.5

** KEV since 2023-06-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-9079  

NVD References:  https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/#CVE-2016-9079 




CVE-2016-0165 - Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Product: Microsoft Win32k

CVSS Score: 7.8

** KEV since 2023-06-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-0165

MSFT References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-039