Recorded Future has released its March 2023 vulnerabilities summary which identifies 5 newly disclosed vulnerabilities with high-risk scores, four of which are zero-day vulnerabilities affecting Microsoft, Adobe, Fortinet and Samsung.
Four of the five vulnerabilities identified had risk scores of 99 in the Recorded Future Intelligence Cloud, meaning they had a score of “very critical”.
“With the fast-growing number of cyber threats putting Australian organisations at risk, it’s becoming harder for security teams to keep on top of which vulnerabilities are carrying the highest risks”, said Nikolas Kalogirou, Country Manager, ANZ for Recorded Future. “By compiling these monthly lists of the top cyber vulnerabilities circulating around the world, we hope to help organisations and empower technology and business leaders in Australia to be more resilient in the face of an ever complex and crowded cyber threat landscape. In March, four companies that include thousands of customers in Australia have shown serious vulnerabilities: Microsoft, Adobe, Fortinet and Samsung. It is important Australian organisations, especially the ones operating across multiple geographic regions, have a close look at these, and if they are impacted put mitigation measures in place”.
Here’s a summary of the top five cyber vulnerabilities that were identified in March 2023 and that should be investigated, and potentially mitigated:
Note that while the mentioned vulnerabilities were discovered in March 2023, there were further developments to vulnerabilities originally tracked and exploited in the past few months, including from Apple and Android (see full report here).
Microsoft vulnerabilities were once again the most prominent, accounting for two of the very critical vulnerabilities:
- Microsoft released a standalone advisory on March 14, 2023, addressing CVE-2023-23397, a critical vulnerability in Microsoft Outlook that allows an adversary to authenticate as a user to another service using an NTLM relay attack.
- Microsoft was made aware of the vulnerability following findings from the Computer Emergency Response Team of Ukraine (CERT-UA) and indicated that it had seen limited, targeted attacks linked to Russian-based threat actors.
- Microsoft also released a script to audit Exchange servers for mail items that might be targets of exploitation.
- On March 14, 2023, Google’s Threat Analysis Group (TAG) discovered that undisclosed financially motivated threat actors exploited a zero-day Microsoft SmartScreen bypass security vulnerability to deploy the Magniber ransomware. The vulnerability, tracked as CVE-2023-24880, allows an adversary to deliver a malicious Microsoft Software Installer (MSI) file with a specially crafted Authenticode signature that evades Mark of the Web (MOTW) defenses without triggering security warnings.
- Google’s TAG identified over 100,000 downloads of the malicious MSI files containing the Magniber ransomware since January 2023. Most users who downloaded the MSI files are from Europe, far from Magniber’s usual targets, such as South Korea and Taiwan.
Fortinet – attacks by an advanced actor and highly targeted against government organisations, and some unnamed malware from China identified
- On March 7, 2023, Fortinet security researchers released security patches to address a zero-day path traversal vulnerability tracked as CVE-2022-41328. The flaw affects FortiOS and, if exploited, allows a malicious actor to read and write arbitrary files via crafted command-line interface (CLI) commands.
- The vulnerability affects FortiOS versions 6.4.0 through 6.4.11, 7.0.0 through 7.0.9, 7.2.0 through 7.2.3, and 6.0 and 6.2.
- According to Fortinet, the attacks were conducted by an “advanced actor”, and were “highly targeted” against the networks of government organisations.
- In addition to exploitation activity, Fortinet identified the presence of unnamed malware (later identified as VIRTUALPITA, CASTLETAP, VIRTUALPIE, and REPTILE) on the affected devices. On FortiGate devices, activities performed by the malware included exfiltration of data, modification of files, execution of commands via remote shell, and communication with a command-and-control (C2) server. On FortiManager devices, the malware also executed shell commands, exfiltrated files, redirected malicious traffic, modified files, listened to open ports, and disabled firmware on startup.
- A China-nexus threat group is the likely suspect behind a cyber espionage campaign that exploited CVE-2022-41328
Adobe
- CVE-2023-26360 is an improper access control vulnerability affecting Adobe’s ColdFusion versions before 2021 Update 6 and 2018 Update 16.
- Threat actors could exploit the vulnerability to execute arbitrary code that takes over the affected device.
Samsung
- The remaining vulnerability listed for this month is CVE-2023-24033, a vulnerability that affects several Samsung Exynos Modem baseband chipsets. A denial of service can result from the format types not being checked specifically by the Session Description Protocol (SDP)