The IT Nerd

The second Tuesday of every month is Patch Tuesday. That means it’s time to patch all the things that are Microsoft related. And this month is huge. Bleeping Computer is reporting that there are 132 flaws including six zero day flaws.

Yikes!

Yoav Iellin, Senior Researcher, Silverfort highlights three that you really need to worry about:

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2023-35367, 35366, 35365 

“The Routing and Remote Access role is not commonly seen in Windows servers. It’s used for advanced routing, NAT, and VPN – and it is not installed by default. However, installing this role turns the server into a provider of these services – potentially directing some or even all network traffic through the server.

Sending a special packet to the Windows server may lead to remote code execution. This is particularly concerning if the specific Windows server acts as a domain controller as well.

With a CVSS score of 9.8, it’s worth taking note of this vulnerability. If you have this service enabled, you should consider installing the patch as soon as possible or even disabling the service.”

Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2023-33134, 33157, 33159, 33160

“Last month’s Patch Tuesday – which was light in comparison to this month – saw the release and disclosure of many SharePoint vulnerabilities, and this month we’re seeing RCEs in SharePoint affecting multiple areas. All of them require the attacker to be authenticated or the user to perform an action that, luckily, reduces the risk of a breach. Even so, as SharePoint can contain sensitive data and is usually exposed from outside the organization, those who use the on-premises or hybrid versions should update.”

Windows Remote Desktop Protocol Security Feature Bypass
CVE-2023-35332, 35352, 35303, 32043

“Remote Desktop Protocol provides a platform for remote communication with Windows machines, and recently, we’ve seen a number of vulnerabilities affecting it. This time there are multiple types of vulnerabilities that each attack different aspects of the service. One allows spoofing of a computer and acts as a “man in the middle” (MITM) to bypass its certificate validation warning, while another vulnerability targets environments where users can authenticate with smart cards. These vulnerabilities should be a warning to those who use them to ensure a higher level of protection between non-secure networks and high ones.”

As soon as I click publish on this story, I’ll be patching all the Microsoft gear in my environment. You should likely do the same.

It’s the second week of June, which means it’s Patch Tuesday. And that means that you need to get about patching all things Microsoft. Bleeping Computer has the details:

While thirty-eight RCE bugs were fixed, Microsoft only listed six flaws as ‘Critical,’ including denial of service attacks, remote code execution, and privilege elevation.

The number of bugs in each vulnerability category is listed below:

• 17 Elevation of Privilege Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 32 Remote Code Execution Vulnerabilities
• 5 Information Disclosure Vulnerabilities
• 10 Denial of Service Vulnerabilities
• 10 Spoofing Vulnerabilities
• 1 Edge – Chromium Vulnerabilities

This list does not include sixteen Microsoft Edge vulnerabilities previously fixed on June 2nd, 2023.

Dor Segal, Senior Research Tech Lead, Silverfort highlights two key fixes by Microsoft:

     “CVE-2023-29357 is a Microsoft SharePoint Server Elevation of Privilege Vulnerability with a high CVSS score of 9.8.

This vulnerability could be used by an attacker with access to spoofed JWT authentication tokens to bypass authentication, gain access to a SharePoint server and adopt the privileges of an authenticated user.

It’s currently unclear whether the access permissions are to the SharePoint application or to the server itself, meaning the impact of any exploitation attempts could range from data theft to initial access into a domain environment. This would explain its high CVSS score.

CVE-2023-29362 – a Remote Desktop Client RCE vulnerability – is pretty unique and well worth notice.

Admins use RDP clients for many of their day-to-day tasks, from managing servers to fixing user problems. Using an RDP client can give admins a false sense of security: they can see what’s going on in a remote server or that client’s computer, but they believe themselves to be protected from malicious activity on the client’s end thanks to the RDP. This vulnerability unfortunately proves that wrong.

CVE-2023-29362 allows an attacker who has compromised a Windows machine to attack and spread to any RDP client connected to that same machine. In the case of admins or other privileged machines, this could potentially lead to compromise of the entire domain.

It’s worth noting that patching is needed on the client’s side – not the server’s – so we recommend first patching privileged clients before moving on to the rest of the clients in the organization.”

After I post this, I will get about patching all the Microsoft gear in my home and home office. You might want to do the same thing as soon as you can.

DownDetector.com is reporting that Microsoft 365 Is down for thousands of users. It appears that users are complaining that the productivity suite is having slow performance to not being able to send emails or, or they can’t log in all together. I got a few calls on this starting about an hour ago from clients, thus I know that this is a somewhat widespread problem. I should note that Microsoft has admitted to this:

So until Microsoft figures this it, it might be a snow day for many Microsoft 365 users.

Bad news if you like Microsoft’s voice assistant Cortana. Its days are numbered according to this support document. Specifically, Microsoft will remove it from Windows 10 and 11. Instead, Microsoft will shift its focus to CoPilot which was announced last week. Other tools, such as Bing Chat AI are promising to deliver on, and possibly exceed, the features and functions offered by Cortana.

Are you sad or indifferent to Cortana getting deep sixed? I have to admit that I’ve never used Cortana, so I am in the latter category. But what about you? Leave a comment below and share your thoughts.

Starting on Monday, Microsoft will start enforcing number matching for Microsoft Authenticator MFA alerts to mitigate MFA fatigue attack attempts.

“Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications,” Microsoft says.

To further defend against MFA fatigue attacks, it is suggested users also limit the number of MFA authentication requests per user or domain and if those limits are exceeded lock the accounts or alert the security team.

MFA fatigue has been seen to be very successful by various threat actors who used this attack method on high-profile organizations, such as Microsoft, Cisco, and Uber.

Matt Mullins, Senior Security Researcher, Cybrary had this comment:

   “MFA fatigue being an attack that harasses the user allows for weaker implementations to be bypassed with enough time. The changes MSFT is offering in this instance will provide better security, ideally, but as with all things, there could be issues in implementation and reality.

   “Number matching looks to be a great improvement. With the requirement of more action required by the user, the authentication process is more robust. With a more robust authentication, there is less “ease” of exploitation due to more steps being needed by the attacker to execute their attack process further. A great example of this is adding smart screen, an enable macros button, Mark-of-the-web, etc. that prevent an easy execution of a macro. One caveat to this improvement Microsoft is offering is that they are going to require more from user and who is to say they don’t get fatigue from this and disable it if possible? What about programmatic accounts that require MFA, will this process prevent those types of accounts form getting an MFA value from the CLI?

   “The number match looks great but there are some not-so-great options included as well. The lock out after a number of fails seems like a perfect example of idealized security that will inevitably be turned off if there are issues with timing, key entry, latency, etc. By locking out accounts’ MFA, users will ultimately have to engage IT. While this might seem like a great idea, what happens when helpdesk is costing more? Controls have to be “just enough” to stop attackers but not inhibit functionality.

   “While the push MFA improvements are great, ultimately utilizing something like a Yubikey is a superior option because of easy-to-use controls and robust security (such as FIDO2). Push, like OTP (or One-Time-Pad), are weaker controls and efforts to add security to them can tend to complicate user functionality which impacts production.

David Mitchell, Chief Technical Officer, HYAS follows up with this:

   “Microsoft has taken a key step in combating techniques that have been successful for Lapsus$ and other groups in compromising organizations by increasing the friction required for MFA. Over the last decade, MFA providers worked on improving the user experience compared to legacy pin+token methods — to the point it was almost too easy to authenticate. While this may irritate some end users in the short term, this change will dramatically reduce attacker abilities to utilize MFA fatigue to gain access to enterprise networks.”

Finally, Roy Akerman, Co-Founder & CEO, Rezonate had this to say:

   “MFA is an important control organizations should apply by default to all of their human identities as part of a defense in depth approach. However, as we’ve seen with the recent Uber breach, MFA fatigue, where attackers repeatedly prompt the user until the user simply allows the bypass, is all too common. Once past that initial defense,  the attackers have bypassed authentication and gained access, free to elevate privileges and move laterally across the enterprise. 

   “While advancing MFA with number matching may help, there are other ways to bypass MFA and organizations must look beyond the identity provider of initial access and implement least privilege access across the entire enterprise to identify any anomalous behavior across the complete modern identity journey from identity provider and MFA, to SaaS applications and multi-cloud infrastructure.”

(Speaking of the recent Uber breach that used “MFA Fatigue” to gain access to their network, Roy, at Rezonate, would like to offer you a demo that shows a complete replicate of the Uber breach that started with an MFA fatigue attack, if you would be interested)

MFA fatigue is a thing. And it’s too much to ask users to be more diligent in terms of what push notifications they respond to. This is going to help but it’s only a piece of the puzzle in terms of really putting a dent into MFA fatigue attacks. In short, the authentication process needs to be such that these attacks are simply not possible.

Like the title says, today is Patch Tuesday and Bleeping Computer is reporting that May’s dump of patches is something that you should pay attention to:

Today is Microsoft’s May 2023 Patch Tuesday, and security updates fix three zero-day vulnerabilities and a total of 38 flaws.

Six vulnerabilities are classified as ‘Critical’ as they allow remote code execution, the most severe type of vulnerability.

Lovely. For commentary as to the patches that you need to pay attention to, here’s Yoav Iellin, Senior Researcher, Silverfort:

 “While CVE-2023-29325 – Windows OLE Remote Code Execution vulnerability might sound fairly innocuous, we strongly recommend taking note of it due to the ease with which users could fall victim to any exploitation attempts.

With this vulnerability, the simple act of glancing at a carefully crafted malicious email in Outlook’s preview pane is enough to enable remote code execution and potentially compromise the recipient’s computer.

At this stage, we believe Outlook users will be the main attack vector, although it has the potential to be used in other Office programs as well. We recommend ensuring client’s Windows machines and Office software are fully up to date and consider following the workaround given by Microsoft while deploying the patch.

In this month’s Patch Tuesday, we’re seeing multiple vulnerabilities affecting SharePoint. CVE-2023-24950, CVE-2023-24955 and CVE-2023-24954 have caught our attention for their potential to lead to privilege escalation and remote code execution.

The first two vulnerabilities require user privileges to create a SharePoint site. Once a threat actor has obtained the credentials of a user with these privileges, they could steal the NTLM hash of the SharePoint domain user and escalate their privileges. From this stage and using the three vulnerabilities together, a threat actor could potentially achieve the SharePoint server credentials.

These vulnerabilities are all listed as “exploitation more likely”, meaning they could be good targets for threat actors looking for innovative ways to achieve lateral movement and RCE. The best mitigation for this group of vulnerabilities is the official patch issued by Microsoft.

Another vulnerability that we’ve taken note of is CVE-2023-24941 – Windows Network file System Remote Code Execution Vulnerability. With a high CVSS score of 9.8, it could be used to attack and run malicious code on a Windows file server that has NFS (Network File System) version 4.1 support enabled.

The NFS protocol is more common in Linux and Unix environments than in Windows, where SMB protocol is more common. Even so, organizations using Windows server as their NFS server should consider applying Microsoft’s fix promptly. This vulnerability does not appear to impact earlier versions, so a quick mitigation could be to disable V4.1 support, especially if apps are only using older versions of NFS. However, please consider vulnerabilities that exist in older versions.”

So if you’re. responsible for making sure your Microsoft infrastructure is fully patched, you should be preparing to patch all the things as this month has a lot of critical or worse vulnerabilities that have been addressed by Microsoft.

See you next month.

Microsoft has posted a blog post that Windows 10 22H2 will be the final major updates to Windows 10, and going forward Microsoft will not put out major updates for Windows 10:

As documented on the Windows 10 Enterprise and Education and Windows 10 Home and Pro lifecycle pages, Windows 10 will reach end of support on October 14, 2025. The current version, 22H2, will be the final version of Windows 10, and all editions will remain in support with monthly security update releases through that date. Existing LTSC releases will continue to receive updates beyond that date based on their specific lifecycles.

Recommendation

• We highly encourage you to transition to Windows 11 now as there won’t be any additional Windows 10 feature updates.
• If you and/or your organization must remain on Windows 10 for now, please update to Windows 10, version 22H2 to continue receiving monthly security update releases through October 14, 2025. See how you can quickly do this via a servicing enablement package in How to get the Windows 10 2022 Update.

The final end of support date for Windows 10 does not change with this announcement; these dates can be found on the Windows 10 Lifecycle page.

Seeing as Windows 11 has been out for more than a year and a half, it’s not a shock that Microsoft is starting to wind things down for Windows 10 which first launched in 2015. Thus they are starting to force users towards Windows 11. And now with a defined path to killing Windows 10, it’s clear that the end is in sight for Windows 10.

Microsoft has discovered an Iranian hacking group known as ‘Mint Sandstorm’ conducting cyberattacks on US critical infrastructure as a possible retaliation for recent attacks on their infrastructure including Iran’s railway system in June 2021 and a cyberattack causing an outage at Iranian gas stations in October 2021.

Microsoft says the attacks commonly use PoC exploits as they become public. Once they gain access to a network the threat actors determine if it is high-value then they deploy two attack chains to steal the target’s Windows Active Directory database to obtain users’ credentials and deploy custom backdoor malware allowing the intruders to maintain persistence on the compromised networks and deploy additional payloads.

Microsoft says the attackers also conducted low-volume phishing attacks against a small number of targeted victims.

“Capabilities observed in intrusions attributed to Mint Sandstorm are concerning as they allow operators to conceal C2 communication, persist in a compromised system, and deploy a range of post-compromise tools with varying capabilities,” warns Microsoft.

Matt Mullins, Senior Security Researcher, Cybrary had this comment:

   “Mint Sandstorm exhibits tell-tale marks of a more sophisticated adversary approach. Their attack process relies on timing, since they are racing against patch timing for publicly disclosed new CVEs. With this being said, there is an obvious effort to scour the internet for information on the latest PoCs, weaponizing them, and then swiftly launching campaigns to gain an initial foothold into networks. Outside of this initial access vector, the utilization of template injection in tandem with small batches of phishing emails leads to a cautious and furtive approach to initial access using traditional phishing methods.

   “Once inside, they appear to execute more standard post-exploitation operational procedures: recon, credential theft and lateral movement, then escalation leading to exfiltration. None of this tradecraft is particularly advanced at this stage but merely standard and sufficient operation to maneuver in an internal network. Detection of tools like Impacket isn’t anything new with a number of endpoint protections giving a specific perspective of what this activity could look like on a compromised host. Further, the exfiltration of a dumped AD database could be surmised as simply the attackers DCSync’ing or shadowing and with this vector there are robust detections available as well.

   “Custom malware is always a bit harder but as the toolkits are more publicly shared, ensuring that properly updated signatures will help a great deal with this aspect. While initial payload detection is difficult at times, there are a number of ways to detect threat actors once they begin to execute on the box. There is no way to be 100% invisible! There are always tell-tale marks left and thus as defenders we must use defense in depth and have well trained analysts and threat hunters who are capable to look closer at escalated tickets.”

Zach Hanley, Chief Attack Engineer, Horizon3.ai follows up with this:

   “Threat actors are identifying and increasingly exploiting processes, or lack of processes, in vulnerability management. They can invest in discovering 0-days, or they can abuse known, recent vulnerabilities that become public. The continuous intelligence loop of identifying emerging threats and acting on the new risks before your adversary can, will become a more critical investment that organizations will have to weigh in their overall security model. Gone are the days where an annual penetration test sufficed for reducing an organization’s risk.”

I suspect that this sort of behaviour is going to become increasingly more common. Whether it’s by Iran or Russia or by some other nation state is irrelevant. It’s clear that this sort of “tit for tat” hacks are going to become the new normal going forward.

In February, researchers at Kaspersky discovered a Windows zero-day that is being used extensively in sophisticated ransomware attacks similar to Common Log File System (CLFS) driver exploits they had seen previously, but turned out to be  a zero-day attack, supporting different versions and builds of Windows, including Windows 11:

While the majority of zero-days that we’ve discovered in the past were used by APTs, this particular zero-day was used by a sophisticated cybercrime group that carries out ransomware attacks. This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries. Using the CVE-2023-28252 zero-day, this group attempted to deploy the Nokoyawa ransomware as a final payload.

We see a significantly increasing level of sophistication among cybercriminal groups. We don’t often see APTs using zero-day exploits in their attacks, and now there are financially motivated cybercriminal groups that have the resources to acquire exploits for unknown vulnerabilities and routinely use them in attacks.

Microsoft released a patch for this vulnerability (CVE-2023-28252) in this week’s April Patch Tuesday release. 

I have a pair of comments on this. Starting with Christopher Peacock, Principal Detection Engineer, SCYTHE:

   “This type of activity proves ransomware actors can develop or procure unknown exploits. A zero-day makes placing one piece of a puzzle easier for the adversary and more complicated for defenders to detect. It’s, therefore, necessary for organizations to have holistic defense in depth for all the pieces in the puzzle.”

Jan Lovmand, CTO, BullWall follows up with this:

   “Cybercriminals are quicker to exploit zero day vulnerabilities than companies are at deploying patches. The average time to patch these vulnerabilities is more than 60 days for the average enterprise. Once the zero-day fix is announced, cybercriminals know precisely what the vulnerability is and work overtime to write exploits specifically for this. 

   “If companies think they can prevent every attack, they are mistaken. It is simply a matter of time before a new ransomware variant hits that catches the endpoint security stack by surprise or when a threat actor finds that one lone system on your network that hasn’t been patched. 

   “To protect against zero-day attacks, companies must be keeping their systems up to date with the latest security patches, use strong and complex passwords, implement MFA, maintain regular backups of critical data and they should consider implementing a rapid containment strategy. Ransomware Containment tools are becoming a critical part of this overall strategy.”

Anyone who has followed this blog will know that I always preach that you should be staying up to date with the latest patches as they stop stuff like this from being hugely problematic. So if you haven’t updated all your Microsoft based PCs, you might want to do so ASAP as the number of threat actors who will be using this vulnerability is about to go up.

The Canadian Government is urging users of Microsoft operating systems to install all the patches that came out as part of Microsoft’s Patch Tuesday dump to fix a vulnerability where a malicious email can pwn you even before you open the email in question:

The Canadian Centre for Cyber Security is warning about a significant vulnerability impacting Microsoft email users that allows threat actors to steal victims’ identities.

The alert sent out Wednesday says the advisory from Microsoft was one of “several critical vulnerabilities” published by the company the day before.

“We are flagging this alert this evening due to the seriousness of the vulnerability,” a spokesperson for the Cyber Centre said in an email to Global News Wednesday.

The advisory in question, dubbed CVE-2023-23397 by Microsoft, disclosed a zero-day vulnerability found in an email crafted by threat actors that contains a malicious payload, the agency said.

That payload will cause the victim’s Outlook email client to automatically connect to a universal naming convention agent controlled by the actor who will then receive the user’s password hash, which contains login credentials.

Microsoft users are being advised to install newly-pushed security patches immediately to protect themselves from the vulnerability.

I’ve rarely seen a Patch Tuesday where there has been critical patch after critical patch that users are urged to install. My suggestion would be not to treat this batch of Patch Tuesday updates as trivial. Instead, I would get about patching all the things ASAP because it’s a safe bet that threat actors are going to exploit these vulnerabilities, if they haven’t already.