INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
July 2023 Microsoft Patch Update
Published: 2023-07-11
Last Updated: 2023-07-11 20:37:11 UTC
by Scott Fendley (Version: 1)
Today's Microsoft patch Tuesday addresses 132 vulnerabilities. Nine of the vulnerabilities are rated as Critical, and 6 of these are listed as exploited prior in the wild.
In particular, CVE-2023-36884 includes a remote code execution vulnerability via Microsoft Word documents and was linked to the Storm-0978 threat actor. Microsoft Threat Intelligence has a blog entry which discusses this situation. Take special note of the mitigations which are recommended, as updates will likely be released out-of-cycle for this one.
Other exploited vulnerabilities include:
CVE-2023-35311 is a Microsoft Outlook Security Feature bypass which was being exploited in the wild which worked in the preview pane and bypasses security warning.
CVE-2023-32046 is an actively exploited privilege elevation vulnerability in Windows MSHTML which could be exploited by opening a specially crafted file in email or a malicious website.
CVE-2023-32049 is a security feature bypass vulnerability with Windows SmartScreen which was being exploited to prevent the Open File - Security Warning prompt when downloading/opening files from the Internet.
CVE-2023-36874 is an actively exploited privilege escalation flaw which could allow threat actors to gain local administrator privileges. Attackers would need to have local access to the targeted machine and the user be able to create folder and performance traces to fully exploit this vulnerability.
Microsoft also issued a high-impact advisory (ADV230001) where attackers where abusing the drivers being certified by Microsoft's Windows Hardware Developer Program (MWHDP) as a post-exploitation activity. The implicated developer accounts were suspected, and Microsoft has taken steps to untrust drivers which were improperly certified.
Read the full entry:
https://isc.sans.edu/diary/July+2023+Microsoft+Patch+Update/30018/
Loader activity for Formbook "QM18"
Published: 2023-07-12
Last Updated: 2023-07-12 02:34:30 UTC
by Brad Duncan (Version: 1)
Introduction
In recent weeks, I've run across loaders related to GuLoader or ModiLoader/DBatLoader. I wrote about one in my previous diary last month. That loader for Remcos RAT was identified by @Gi7w0rm as GuLoader. Today I ran across another loader based on a tweet from @V3n0mStrike about recent Formbook activity.
Today's diary briefly reviews this activity based from an infection run on Tuesday 2023-07-11.
[...]
Email Distribution
After viewing the tweet from @V3n0mStrike, I searched through VirusTotal and found at least two emails with the associated .docx file attachment.
[...]
Indicators of Compromise
The following are indicators of compromise (IOCs) after using the .docx attachment to kick off an infection run.
Read the full entry:
https://isc.sans.edu/diary/Loader+activity+for+Formbook+QM18/30020/
DShield pfSense Client Update
Published: 2023-06-30
Last Updated: 2023-06-30 00:01:06 UTC
by Yee Ching Tok (Version: 1)
The SANS Internet Storm Center (ISC) developed the DShield pfSense client in 2017 to support the ingestion of pfSense firewall logs into the DShield project. The pfSense project has also evolved over the years, with some changes in the offerings. With the advent of pfSense Community Edition (CE) 2.7.0 and pfSense Plus 23.01, updates to the DShield client were required to fix unintended issues.
I am pleased to share that the DShield pfSense client has been updated and tested to be working* with pfSense CE 2.7.0 Release Candidate (RC) (just in time before pfSense CE 2.7.0-RELEASE is released on the targeted date of June 29, 2023), pfSense Plus 23.01-RELEASE as well as pfSense CE 2.6.0-RELEASE. To take a look at the DShield pfSense client, please visit the GitHub repository here. If you are a pfSense user and would like to participate in the DShield project, please refer to my previous diary [6] for the steps required to set it up.
Read the full entry:
https://isc.sans.edu/diary/DShield+pfSense+Client+Update/29994/