homepage
Open menu
Contact Sales

SANS NewsBites

Patch Actively Exploited Outlook Flaw ASAP; Deploy Workarounds on Vulnerable Android Phones with Samsung Exynos Chipset; Meaningful Change Unlikely from Healthcare Sector Cybersecurity Hearings

March 17, 2023  |  Volume XXV - Issue #22

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2023-03-14

Microsoft’s March Patch Tuesday

On Tuesday, March 14, Microsoft released mixes for nearly 75 security issues. Two of the vulnerabilities addressed in the updates are being actively exploited. One of the flaws, a privilege elevation vulnerability in Outlook that has reportedly been used by Russian hackers in attacks on government, military, and energy sector organizations in Europe.

Editor's Note

In addition to the widely covered vulnerabilities, some of which are already exploited, I would like to point out CVE-2023-23415. This vulnerability is at least interesting, even if it may not be easy to exploit. A single ICMP error packet leading to remote code execution shouldn't be underestimated, and yet again proves how we are not done finding vulnerabilities in 30+ year old TCP/IP stacks.

Johannes Ullrich
Johannes Ullrich

The different exploit groups have been out on the internet discussing various ways to exploit this vulnerability. I would look at what folks over at MDSec ActiveBreach and a few others have discussed about various methods to abuse this Outlook feature.

Moses Frost
Moses Frost

It’s been 20 years since MSFT moved to a monthly patch cycle (aka Patch Tuesday). By now organizations should have ‘well oiled’ processes to handle these monthly patch updates. This batch includes a number of remote code execution as well as two ‘zero days’ being actively used. Exercise your patch process and remediate these vulnerabilities first.

Curtis Dukes
Curtis Dukes

If one critical infrastructure entity is being targeted, assume others in the same business (energy) will also be targets. Moreover CVE-2023-23397 is rather deceptive. While labeled a privilege escalation flaw, it is used to capture NTLM hashes for a pass the hash attack. But it only works for self-hosted exchange. At some point reacting to flaws relating to self-hosted Exchange is going to surpass the cost of using a hosted version, if upsurge not there already. Don’t forget to incorporate Adobe updates as they’ve also released a bunch this week.

Lee Neely
Lee Neely

2023-03-16

Exynos Chipset Vulnerabilities Could be Exploited to Compromise Phones at Baseband Level

Researchers from Google Project Zero have found multiple vulnerabilities in Samsung Exynos chipsets. Four of the flaws could be exploited to compromise unpatched devices remotely at the baseband level with no user interaction. The timeline for patch releases depends on device manufacturers; until fixes are available, users “can protect themselves from the baseband remote code execution vulnerabilities mentioned in this post by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings.”

2023-03-16

Healthcare Cybersecurity Officials Want Legislators to Set Cybersecurity Standards for Their Sector

Healthcare sector cybersecurity and information security and professionals told the US Senate Homeland Security and Government Affairs Committee that they want legislators to establish minimum cybersecurity standards for the healthcare sector. While there are plenty of best-practices lists, sorting through them can be overwhelming, and voluntary compliance is simply not working.

The Rest of the Week's News

2023-03-16

CISA Adds Four Vulnerabilities to Known Exploited Vulnerabilities Catalog

This week, the US Cybersecurity and Infrastructure Security Agency (CSA) has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: a path traversal vulnerably in Fortinet’s FortiOS; a security feature bypass vulnerably n Microsoft Windows SmartScreen; a privilege elevation vulnerably in Microsoft Office; and an improper access control vulnerability in Adobe ColdFusion. The flaws have mitigation due dates of April 4 and 5.

Editor's Note

Don’t cherry pick the Microsoft and Adobe updates based on the KEV. Make sure you’re applying the updates to any relevant products you have. If timing is a factor use the KEV to reinforce your case to update, particularly where system owners are resistant.

Lee Neely
Lee Neely

2023-03-15

CISA Warning on Progress Telerik .NET Deserialization Bug

Between November 2022 and January 2023, threat actors were able to compromise the US Federal Civilian Executive Branch (FCEB) network by exploiting a known Progress Telerik vulnerability in a Microsoft Internet Information Services (IIS Web server. The .NET deserialization vulnerability (CVE-2019-18935) was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in November 2021.

2023-03-15

Patient Sues Hospital After Ransomware Group Leaks Personal Photos

A patient is suing Lehigh Valley Health Network (LVHN) after sensitive photos and personal data were leaked online following a ransomware attack. The lawsuit alleges that LVHN was negligent in not protecting patients’ “highly sensitive and privileged personally identifiable information (PII)” and is seeking class action status for others who are affected by the breach.

2023-03-16

Latitude Financial Services Data Breach Resulted in Stolen Customer Data

Latitude Financial Services has disclosed that hackers breached its internal network. Latitude has shut down both internal and customer-facing systems. The breach allowed an intruder to steal employee login credentials, which were then used to log into two Latitude service providers. A combined 228,000 records were stolen from the service providers’ systems.

2023-03-16

Independent Living Systems Data Breach Affects 4 Million People

Independent Living Systems (ILS) has disclosed a data breach affecting more than four million individuals. The incident occurred between June 30 and July 5, 2022, but ILS did not determine the number and type of data that were affected until January 2023. According to its website, the Florida-based company offers “clinical and third-party administrative services to managed care organizations and providers that serve high-cost, complex member populations in the Medicare, Medicaid and Dual-Eligible Market.”

2023-03-14

Rubrik Discloses Data Breach

Data security company Rubrik has acknowledged that it suffered a cyberattack that was conducted with the help of a zero-day vulnerability in the GoAnywhere file transfer platform. In a March 14 blog post, Rubrik CISO Michael Mestrovich writes that they “detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability.”

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/diary/Microsoft+March+2023+Patch+Tuesday/29634

Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/

CVE-2023-23415 ICMP RCE

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415

Simple Shellcode Dissection

https://isc.sans.edu/diary/Simple+Shellcode+Dissection/29642

IPFS Phishing and the need for correctly set HTTP security headers

https://isc.sans.edu/diary/IPFS+phishing+and+the+need+for+correctly+set+HTTP+security+headers/29638

Threat Actors Exploit Progress Telerik Vulnerability

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a

Abusing Adobe Acrobat Sign to Distribute Malware

https://blog.avast.com/adobe-acrobat-sign-malware

Zoom Patches

https://explore.zoom.us/en/trust/security/security-bulletin/

Array Networks Advisory

https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf

Aruba Patches

https://www.arubanetworks.com/support-services/security-bulletins/

Chromium Certificate Proposals

https://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/

Adobe Cold Fusion and Magento (Adobe Commerce) patches

https://helpx.adobe.com/security/products/magento/apsb23-17.html

https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html

SAP Patches

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Firefox Patches

https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/