News
July Threat Advisory – Top 5
July 2023 by SecurityHQ
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of July 2023.
Apple Released Security Update to Address Vulnerability in Their Products.
Threat Reference: Global
Risks: Arbitrary Code Execution
Advisory Type: Updates/Patches
Priority: Standard
Apple has released a security update to address a critical vulnerability in their products. Successful exploitation of this vulnerability could lead to arbitrary code execution.
Notable CVE: [Critical] - CVE-2023-37450 - Processing web content may lead to arbitrary code execution.
Affected Products include macOS Big Sur, macOS Monterey, iOS 16.5.1 and iPadOS 16.5.1, macOS Ventura 13.4.1.
Recommendation: It is recommended to update the affected products to their latest available versions/patch level.
Citrix Released Security Patch to Fix Critical and High Severity Vulnerability Impacting Citrix ADC and Citrix Gateway.
Threat Reference: Global
Risks: Elevation of Privilege, Remote Code Execution
Advisory Type: Updates/Patches
Priority: Standard
Citrix has released a security patch to fix Critical and High severity vulnerabilities affecting Citrix ADC and Citrix Gateway. Successful exploitation of these vulnerabilities by an attacker could lead to gaining NT AUTHORITY\SYSTEM privileges on a local system or Remote Code Execution.
Notable CVEs:
[Critical] CVE-2023-24492 – Successful exploitation of vulnerability may lead to remote code execution.
[High] CVE-2023-24491 – Successful exploitation of vulnerability will allow an attacker to elevate privileges to NT AUTHORITY\SYSTEM.
Affected Products include Citrix ADC and Citrix Gateway: All versions prior to 23.5.1.3 (Windows), and Citrix ADC and Citrix Gateway: All versions prior to 23.5.2 (Ubuntu).
Recommendation: It is recommended to update the affected products to their latest available versions/patch level.
New Multi-Stage TOITOIN Trojan Targeting Multiple Organizations.
Threat Reference: Global
Risks: Malware/Trojan
Advisory Type: Threats
Priority: Standard
Researchers have observed a new sophisticated and persistent malware named TOITOIN targeting organizations globally. This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage.
The attack scenario follows the below steps.
1. The victim receives the phishing email with embedded link which on clicking redirects to multiple domains that downloads the randomly named Zip archive.
2. The zip contains executable file which on executing downloads the Downloader module.
3. The Downloader module downloads further stages, evading sandboxes and maintaining persistence using LNK files.
4. After that Krita Loader DLL and InjectorDLL module is sideloaded via a Signed Binary.
5. InjectorDLL Module Injects the ElevateInjectorDLL into the remote process (explorer.exe) which evades sandboxes, performs process hollowing, and injects either the TOITOIN Trojan or BypassUAC module based on process privileges.
6. BypassUAC Module then utilizes the COM Elevation Moniker to bypass User Account Control and execute the Krita Loader with administrative privileges.
7. The final payload, the TOITOIN Trojan, employs custom XOR decryption routines to decode the configuration file containing the Command & Control server’s URL.
8. It transmits the encoded system information, installed browsers details and the Topaz OFD Protection Module to the C&C server. In the absence of the configuration file, the information is sent via a POST request using curl.
Indicators of compromise (IOCs) Domains/URLs:
ec2-3-89-143-150[.]compute-1[.]amazonaws[.]com/storage[.]php?e=Desktop-PC
ec2-3-82-104-156[.]compute-1[.]amazonaws[.]com/storage.php?e=Desktop-PC
http[:]//alemaoautopecas[.]com
http[:]//contatosclientes[.]services
atendimento-arquivos[.]com
arquivosclientes[.]online
fantasiacinematica[.]online
http[:]//cartolabrasil[.]com
191[.]252[.]203[.]222/Up/indexW.php
http[:]//bragancasbrasil[.]com
http[:]//179[.]188[.]38[.]7
http[:]//afroblack[.]shop/CasaMoveis\ClienteD.php
Recommendations
Block IOCs mentioned in this advisory on security devices.
Block unknown file extensions, executables, macro attached files on Email Gateway.
Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints.
Monitor your IT infrastructure 24x7 for cybersecurity attacks and suspicious activities.
SonicWall Patched Multiple Critical and High Vulnerabilities in SonicWall GMS and Analytics.
Threat Reference: Global
Risks: Authentication Bypass, Sensitive Information Disclosure, Unrestricted File Upload, Command Injection, Path Traversal and SQL Injection
Advisory Type: Updates/Patches
Priority: Standard
SonicWall recently released security patches to fix multiple Critical and High vulnerabilities affecting its products. Successful exploitation of these vulnerabilities could allow an attacker to Bypass Authentication, Information Disclosure, Unrestricted File Upload, Command Injection, Path Traversal and SQL Injection.
Notable CVEs are:
[Critical] CVE-2023-34133 - Multiple Unauthenticated SQL Injection Issues & Security Filter Bypass.
[Critical] CVE-2023-34134 - Password Hash Read via Web Service
[Critical] CVE-2023-34124 - Web Service Authentication Bypass
[Critical] CVE-2023-34137 - CAS Authentication Bypass
[High] CVE-2023-34127 - Post-Authenticated Command Injection
[High] CVE-2023-34123 - Predictable Password Reset Key
[High] CVE-2023-34126 - Post-Authenticated Arbitrary File Upload
[High] CVE-2023-34129 - Post-Authenticated Arbitrary File Write via Web Service (Zip Slip)
[Medium] CVE-2023-34125 - Post-Authenticated Arbitrary File Read via Backup File Directory Traversal
[Medium] CVE-2023-34128 - Hardcoded Tomcat Credentials (Privilege Escalation)
[Medium] CVE-2023-34135 - Post Authenticated Arbitrary File Read via Web Service
[Medium] CVE-2023-34136 - Unauthenticated File Upload
[Low] CVE-2023-34130 - Use of Outdated Cryptographic Algorithm with Hardcoded Key
[Low] CVE-2023-34131 - Unauthenticated Sensitive Information Leak
[Low] CVE-2023-34132 - Client-Side Hashing Function Allows Pass-the-Hash
Affected Products include GMS - Virtual Appliance 9.3.2-SP1 and earlier versions, GMS - Windows 9.3.2-SP1 and earlier versions, and Analytics - 2.5.0.4-R7 and earlier versions.
Recommendation: It is recommended to update the affected products to their latest available versions/patch level.
Microsoft Release July 2023 Patch Tuesday for 132 Flaws, Including 6 zero-days and 37 Remote Code Execution Vulnerabilities.
Threat Reference: Global
Risks: Elevation of Privilege, Security Feature Bypass, Remote Code Execution, Information Disclosure, Denial of Service (DoS) and Spoofing
Advisory Type: Updates/Patches
Priority: Standard
Microsoft has released Patch Tuesday for July 2023, with security updates for 132 flaws, including six actively exploited and 37 Remote Code Execution vulnerabilities. Successful exploitation of these vulnerabilities could result in Elevation of Privilege, Security Feature Bypass, Remote Code Execution, Information Disclosure, Denial of Service (DoS) and Spoofing.
Notable CVE ID and details:
[Critical] - CVE-2023-32057 : [CVSS – 9.8] - Microsoft Message Queuing Remote Code Execution Vulnerability
[Critical] - CVE-2023-35367 : [CVSS – 9.8] - Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
[Critical] - CVE-2023-35366 : [CVSS – 9.8] - Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
[Critical] - CVE-2023-35365 : [CVSS – 9.8] - Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
[High] - CVE-2023-33160 : [CVSS – 8.8] - Microsoft SharePoint Server Remote Code Execution Vulnerability
[High] - CVE-2023-33157 : [CVSS – 8.8] - Microsoft SharePoint Remote Code Execution Vulnerability
[High] - CVE-2023-35315 : [CVSS – 8.8] - Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability
[High] - CVE-2023-32049 : [CVSS – 8.8] - Windows SmartScreen Security Feature Bypass Vulnerability
[High] - CVE-2023-35311 : [CVSS – 8.8] - Microsoft Outlook Security Feature Bypass Vulnerability
[High] - CVE-2023-36884 : [CVSS – 8.3] - Office and Windows HTML Remote Code Execution Vulnerability
[High] - CVE-2023-32046 : [CVSS – 7.8] - Windows MSHTML Platform Elevation of Privilege Vulnerability
[High] - CVE-2023-36874 : [CVSS – 7.8] - Windows Error Reporting Service Elevation of Privilege Vulnerability
[High] - CVE-2023-35352 : [CVSS – 7.5] - Windows Remote Desktop Security Feature Bypass Vulnerability
[High] - CVE-2023-35297 : [CVSS – 7.5] - Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
[High] - CVE-2023-35312 : [CVSS – 7.3] - Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability
Recommendation: Keep applications and operating systems running at the current released patch level and run software with the least privileges.
Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident.
