INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Microsoft August 2023 Patch Tuesday
Last Updated: 2023-08-08 17:55:38 UTC
by Renato Marinho (Version: 1)
This month we got patches for 88 vulnerabilities. Of these, 6 are critical, and 2 are already being exploited, according to Microsoft.
One of the exploited vulnerabilities is .NET and Visual Studio Denial of Service Vulnerability (CVE-2023-38180). The max severity for the vulnerability is important and the CVSS is 7.5.
The other exploited vulnerability is Microsoft Office Defense in Depth Update (ADV230003). According to the advisory this defense in depth update is not a vulnerability, but installing this update stops the attack chain leading to the Windows Search security feature bypass vulnerability (CVE-2023-36884). Microsoft recommends installing the Office updates discussed in this advisory as well as installing the Windows updates from August 2023.
Moving to critical vulnerabilities, there are Remote Code Execution (RCE) vulnerabilities affecting Microsoft Message Queuing (CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911). According to the advisory, the Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine. Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute code on the target server. The attack complexity is low, no privileges and no user interaction are required. The CVSS for this vulnerability is 9.8.
Read the full entry:
From small LNK to large malicious BAT file with zero VT score
Last Updated: 2023-08-03 15:49:44 UTC
by Jan Kopriva (Version: 1)
Last week, my spam trap caught an e-mail with LNK attachment, which turned out to be quite interesting.
The e-mail message was the usual malspam fare trying to appear as a purchase order sent to the recipient, however, the attachment, named “Purchase%20Order%20PO007289.pdf.zip”, was somewhat more intriguing. As you have probably guessed, it did not contain a PDF file, as its name might have suggested, but instead a 15 kB LNK.
If one were to look at the LNKs properties using the standard Windows dialog, one would only see the following string as the “target” for the shortcut, given that the textbox in the dialog supports only a fairly short string.
Since the “target” string begins with the ComSpec variable, we can clearly see that the LNK is pointing at cmd.exe (at least on any Windows system with usual configuration), but that is about all we can be certain about at this point. To get to further details, we might take advantage of some specialized tool for analyzing LNK files, however, any hex editor can serve us just as well.
Even if one didn’t understand the internal structure of the Shell Link file format, one would only have to locate a string in the file containing multiple “/shakir” substrings to be able to get to the entire command that the file is supposed to execute.
Read the full entry:
Are Leaked Credentials Dumps Used by Attackers?
Last Updated: 2023-08-04 07:46:31 UTC
by Xavier Mertens (Version: 1)
Leaked credentials are a common thread for a while. Popular services like “Have I Been Pwned” help everyone know if some emails and passwords have been leaked. This is a classic problem: One day, you create an account on a website (ex: an online shop), and later, this website is compromised. All credentials are collected and shared by the attacker. To reduce this risk, a best practice is to avoid password re-use (as well as to not use your corporate email address for non-business-related stuff).
I’ve been watching dumps of leaked credentials for a long time. My goal is not to compete with the service above. I do this for research purposes and to track potential leaks for juicy domains. Most of the "combo" files that you can find on the Internet are compilations of old leaks but presented as "fresh", "verified" or "valid" by the attacker:
75k HQ Valid mail access.txt
50K Combo private BY AmrNet1 All Site.txt
The quality of these dumps is very poor. Most verifications I performed with 3rd parties always gave the same results: the account has not existed for a long time, our password policy has changed, etc.
Read the full entry: