The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft February 2024 Patch Tuesday

Published: 2024-02-13

Last Updated: 2024-02-13 18:30:02 UTC

by Renato Marinho (Version: 1)

This month we got patches for 80 vulnerabilities. Of these, 5 are critical, and 2 are being exploited according to Microsoft.

One of the exploited vulnerabilities is the Internet Shortcut Files Security Feature Bypass Vulnerability (CVE-2024-21412). According to the advisory, an unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link. The CVSS for this vulnerability is 8.1.

The second exploited vulnerability is the Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2024-21351). According to the advisory, the vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both.

About the critical vulnerabilities, one of them is the Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2024-21410). According to the advisory, an attacker who successfully exploited this vulnerability could relay a user's leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user. The CVSS for this vulnerability is 9.8 – the highest for this month.

A second critical vulnerability worth mentioning is the Microsoft Outlook Remote Code Execution Vulnerability (CVE-2024-21413). Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. An attacker could craft a malicious link that bypasses the Protected View Protocol, which leads to the leaking of local NTLM credential information and remote code execution (RCE). The CVSS for this vulnerability is 9.8 as well.

Read the full entry: https://isc.sans.edu/diary/Microsoft+February+2024+Patch+Tuesday/30646/

Exploit against Unnamed "Bytevalue" router vulnerability included in Mirai Bot

Published: 2024-02-12

Last Updated: 2024-02-12 14:11:55 UTC

by Johannes Ullrich (Version: 1)

Today, I noticed the following URL showing up in our "First Seen" list ...

Initially, our sensors detected requests for just "goform/webRead/open".

URLs containing "goform" are typically associated with the RealTek SDK. Routers built around the RealTek SoC (System on a Chip) usually use the SDK to implement web-based access tools. The RealTek SDK had numerous vulnerabilities in the past. We currently track over 900 unique URLs in our honeypots using a "/goform/" URL. The most popular URL is usually "goform/set_LimitClient_cfg", associated with CVE-2023-26801 in LB-Link routers. But simple password brute force attacks are also common, taking advantage of default passwords.

So far, I have not been able to identify a specific CVE number for vulnerabilities related to "goform/webRead/open". However, a Chinese blog post from November suggests that this is related to a vulnerability in routers made by the Chinese company "BYTEVALUE." I could not find a patch for the vulnerability.

Read the full entry: https://isc.sans.edu/diary/Exploit+against+Unnamed+Bytevalue+router+vulnerability+included+in+Mirai+Bot/30642/

MSIX With Heavily Obfuscated PowerShell Script

Published: 2024-02-09

Last Updated: 2024-02-09 14:11:04 UTC

by Xavier Mertens (Version: 1)

A few months ago, we saw waves of MSIX malicious packages dropping malware once installed on victim's computers. I started to hunt for such files and saw a big decrease in interesting hints. Today, my YARA rule triggered a new sample. Called "Rabby-Wallet.msix", the file has a VT score of 8/58[.

After a quick look, the file appears to implement the same technique to execute a malicious PowerShell payload ...

Read the full entry: https://isc.sans.edu/diary/MSIX+With+Heavily+Obfuscated+PowerShell+Script/30636/

Internet Storm Center Podcast ("Stormcast") 15th Birthday (2024.02.09)

https://isc.sans.edu/diary/Internet+Storm+Center+Podcast+Stormcast+15th+Birthday/30638/

A Python MP3 Player with Builtin Keylogger Capability (2024.02.08)

https://isc.sans.edu/diary/A+Python+MP3+Player+with+Builtin+Keylogger+Capability/30632/

Anybody knows that this URL is about? Maybe Balena API request? (2024.02.07)

https://isc.sans.edu/diary/Anybody+knows+that+this+URL+is+about+Maybe+Balena+API+request/30628/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.