Cyber Threat Pulse
#5, February 2024
UAC-0149: New cyber attack against Ukrainian defense forces exposed
CERT-UA has discovered a new cyber attack targeting the Ukrainian Defense Forces. The attackers used infected XLS documents that were distributed through the Signal messenger. Opening these documents resulted in infection with the COOKBOX malware.
Recommendations
CERT-UA recommends implementing a policy to block the launch of the following dual-use utilities:* ● cmd.exe ● powershell.exe ● mshta.exe ● w(c)script.exe ● hh.exe
If completely blocking the launch of these utilities is not possible, it is recommended to block them if their parent process is one of the Microsoft Office programs, for example: ● EXCEL.EXE ● WORD.EXE ● POWERPNT.EXE ● OUTLOOK.EXE
Source: https://cert.gov.ua/article/6277849
* This refers to utilities that can be used for LOLBAS (Living Off the Land Binaries And Scripts) attacks. Find a list of dual-use utilities at: https://lolbas-project.github.io/
Active use of Ivanti products
On January 19, 2024, two vulnerabilities were discovered in Ivanti products: CVE-2023-46805, which has a rating of 8.2 (High), and CVE-2024-21887, which has a rating of 9.1 (Critical).
Vulnerable Products: ● Ivanti Connect Secure, versions 9.x, 22.x ● Ivanti Policy Secure, versions 9.x, 22.x
Since many organizations did not apply recommended patches for vulnerabilities, a series of attacks were observed in February, using exploits for Ivanti. Some of them were aimed at: ● Installing the KrustyLoader malware loader ● Deployment of DSLog backdoor in more than 670 infrastructures ● XMRig crypto-miner infection
Later, another vulnerability was discovered in the same products and Ivanti ZTA version 22.6R1.3 – CVE-2024-22024 with a rating of 8.3 (High).
Recommendations
CISA (US Cybersecurity and Infrastructure Security Agency) has provided a list of recommendations for addressing these vulnerabilities:
https://www.cisa.gov/news-events/directives/supplemental-direction-v2-ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure
How exploits work and how to test the security of your infrastructure is described by Picus Security in the following article:
https://www.picussecurity.com/resource/blog/ivanti-cve-2023-46805-and-cve-2024-21887-zero-day-vulnerabilities
Russian hackers attack email servers of European governments and military organizations
A hacker group, which likely works for Belarus and Russia (Winter Vivern/TA473/UAC0114), attacked over 80 organizations in different countries, including Georgia, Poland, and Ukraine. The attackers exploited holes in Roundcube mail servers (CVE-2020-35730) to steal information about political and military activities in Europe.
Winter Vivern also attacked the Iranian embassies in Russia and the Netherlands and the Georgian embassy in Sweden.
The attacks on Iranian embassies in Russia and the Netherlands indicate widespread geopolitical interest in assessing Iran's diplomatic activities, especially regarding its support for Russia in Ukraine.
Likewise, espionage against Georgian government entities reflects an interest in monitoring Georgia's aspirations to join the European Union (EU) and NATO.
Source:
https://www.recordedfuture.com/russia-aligned-tag-70-targets-european-government-and-military-mail
"Time to Update" Section
Microsoft
In the February Patch Tuesday 2024 update, Microsoft fixed 73 vulnerabilities. These fixes affect various Microsoft products, including Office, Exchange Server, Azure services, Windows components, and others. It is recommended that updates be applied as soon as possible, as discovered vulnerabilities may lead to denial-of-service attacks, privilege escalation, and remote code execution.
Two of the fixed vulnerabilities from the list are actively exploited by attackers:
● CVE-2024-21412, with a rating of 8.1 (High), allows you to bypass the "Mark of the Web" protection function*
● CVE-2024-21351, with a score of 7.6 (High), allows you to bypass the SmartScreen check for a specially crafted malicious file
https://msrc.microsoft.com/update-guide/releaseNote/2024-Feb
*Windows assigns a Mark of the Web (MotW) to files downloaded from the Internet. Next, MotW:
● Signals SmartScreen to conduct a more thorough scan of flagged files
● Provides users with additional notification about the risks of executing a marked file, which reduces the number of successful phishing attacks
Apple
In recent updates, Apple has released fixes for several vulnerabilities, including zero-day ones CVE-2024-23222, which has been exploited in recent attacks.
It is recommended that you update to the following versions: iOS 16.7.5, iPadOS 16.7.5, macOS Monterey 12.7.3, and tvOS 17.3 and higher.
https://support.apple.com/en-us/HT214061
Adobe
In the new update package, Adobe has fixed 29 vulnerabilities in the following products:
● Adobe Experience Manager
● Adobe Premiere Pro
● Adobe ColdFusion
● Adobe Bridge
● Adobe Lightroom
● Adobe Animate
Exploiting these vulnerabilities can lead to a range of consequences, including remote code execution, information disclosure, Cross-Site Scripting, and denial of service.
Google Chrome
Google has fixed the zero-day vulnerability CVE-2024-0519, which attackers have exploited since the beginning of 2024. Other significant vulnerabilities patched are CVE-2024-0517 and CVE-2024-0518.
It is recommended to update to version 120.0.6099.224/225 for Windows, 120.0.6099.234 for Mac, 120.0.6099.224 for Linux
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html
Mozilla Firefox
16 vulnerabilities have been fixed, 6 of which have a "High" severity. It is recommended to update to Firefox version 122.
https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/