Cyber Threat Pulse
#3, December 2023
Pro-Russian hackers exploit Outlook to hack email accounts
Polish Cyber Command (DKWOC) reports that the pro-Russian Forest Blizzard* is actively exploiting a vulnerability in Microsoft Outlook (CVE-2023-23397) to gain unauthorized access to email accounts on Exchange servers.
In recent months, the group has been linked to attacks on various organizations in Ukraine and France and exploiting the WinRAR vulnerability (CVE-2023-38831) to steal browser credentials. *Forest Blizzard is a Russian state-sponsored threat actor that primarily targets governments, energy, transportation, and non-governmental organizations in Europe, the United States, and the Middle East.
DKWOC provides detailed recommendations for identifying and resolving vulnerabilities:
https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/
Phishing emails on behalf of the SBU (Security Service of Ukraine): CERT-UA study
Over the past month, CERT-UA has discovered numerous phishing emails being sent with an attached RAR archive containing the RemcosRAT* remote control program.
Attackers (UAC-0050) use various methods to mislead their victims. For example, they send letters on behalf of the Security Service of Ukraine and use the topics "Subpoena", "Claims," and others. It was also noted that compromised email accounts, including those in the gov.ua domain, were used to send phishing emails. You should treat any emails with caution, especially those containing attachments!
*RemcosRAT is a commercial remote access tool (RAT). Although Remcos is marketed as a legitimate solution for remote control, surveillance and even penetration testing, it has gained notoriety due to its involvement in numerous hacking campaigns. CERT-UA research:
https://cert.gov.ua/article/6276652, https://cert.gov.ua/article/6276567, https://cert.gov.ua/article/6276351
"It's time to update" column
Software security is the cornerstone of information security in general. Lack of timely updates will help attackers steal confidential information, disrupt systems, and cause material and reputational damage.
We have prepared a list of software that has received updates to fix critical vulnerabilities.
Patch Tuesday updates:
Apple. Updates have been released for iOS and iPadOS to fix CVE 8. Two of these Webkit CVEs are actively exploited on iOS 16.7.1 and earlier.
Adobe. 9 patches have been released to fix 212 CVEs in various products. 186 of these CVEs in Experience Manager are XSS vulnerabilities with an " Important " severity level. Vulnerabilities in After Effects are rated as Critical and could allow arbitrary code execution. Illustrator and Substance 3D Sampler vulnerabilities are also rated as Critical and could lead to arbitrary code execution.
Microsoft. 33 new patches have been released to fix 33 CVEs. These CVEs affect the following products: Windows, MS Office, Azure, MS Edge (Chromium-based), Windows Defender, Windows DNS and DHCP server, and MS Dynamic. In addition to these CVEs, the release also includes fixes for several Chromium vulnerabilities, bringing the total number of CVE fixes to 42
https://www.zerodayinitiative.com/blog/2023/12/12/the-december-2023-security-update-review
Critical RCE vulnerability in Struts 2
A critical vulnerability, CVE-2023-50164, has been discovered in the open-source web application platform Struts 2, which can lead to executing arbitrary code.
An attacker could exploit the vulnerability to upload a malicious file to the server, which would then be executed in the web application context. This could allow an attacker to gain full control of the server. The vulnerability is fixed in Struts version 2.5.33 and 6.3.0.2 or higher.
https://cwiki.apache.org/confluence/display/WW/S2-066
WordPress update fixes a critical vulnerability
WordPress has released update 6.4.2, which fixes a critical vulnerability that allows attackers to take control of a vulnerable site. To do this, attackers must combine this vulnerability with another bug (PHP object injection vulnerability) present in any other plugin or theme.
https://wordpress.org/news/2023/12/wordpress-6-4-2-maintenance-security-release/