This Week in Cyber 14th April 2023

Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit

Microsoft has released a set of security updates to fix 97 flaws impacting its software. Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. 45 of the shortcomings are remote code execution flaws, followed by 20 privilege escalation vulnerabilities. One of the flaws, CVE-2023-28252, has been actively exploited in ransomware attacks in the wild. The flaw is a privilege escalation bug in the Windows Common Log File System (CLFS) Driver, and at least 32 vulnerabilities have been identified in CLFS since 2018. Additionally, critical remote code execution flaws have been patched in DHCP Server Service, Layer 2 Tunnelling Protocol, Raw Image Extension, Windows Point-to-Point Tunnelling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ). Microsoft has also announced that they will be including LAPS as default for Windows 10 & 11, LAPS randomly generates a password for the administrator account which lessens the threat of an administrator account being breached.

MSI Compromised

The company MSI, who primarily make components for computers, have been the victim of a malicious attack. The breach was confirmed on the 7th of April and on the 8th an update was announced that the threat actors, known as Money Message, have stolen the source code of MSI products and have the potential to use it to distribute their ransomware throughout the customer base of MSI. The cyber-gang is demanding $4 million ransom, if MSI fail to comply then the gang has threatened to leak the source code. As a response to this crisis MSI have also announced that they're going to be looking into further expanding their Cyber Security team in order to prevent events like this from happening in the future.

Apple Patching Two 0-day Vulnerabilities In iOS And MacOS

Apple has released security updates for iOS, iPadOS, macOS, and Safari to address two zero-day vulnerabilities (CVE-2023-28205 and CVE-2023-28206) that were being exploited in the wild. The first vulnerability was related to WebKit and could lead to arbitrary code execution, while the second was related to IOSurfaceAccelerator and could allow an app to execute arbitrary code with kernel privileges. Apple has withheld details about the vulnerabilities to prevent more threat actors from abusing them. The updates are available for a wide range of devices, and Apple has patched three zero-day vulnerabilities since the start of the year. This development comes as Google TAG revealed that commercial spyware vendors are exploiting zero-days in Android and iOS to infect mobile devices with surveillance malware.

New Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers

A flaw has been discovered in Microsoft Azure that could allow attackers to gain access to storage accounts, move laterally, and execute remote code. The flaw is related to Shared Key authorization, which is enabled by default on storage accounts. The exploitation path involves manipulating Azure Functions to steal access-tokens of higher privilege identities. By exfiltrating the access-token to a remote server, an attacker can escalate privileges, move laterally, access new resources, and execute a reverse shell on virtual machines. To mitigate this flaw, organizations are advised to disable Azure Shared Key authorization and use Azure Active Directory authentication instead. Microsoft plans to update how Functions client tools work with storage accounts to support scenarios using identity. 24/7 monitoring of Azure can help in detecting and responding to security threats and vulnerabilities in real-time. With continuous monitoring, organisations can proactively identify potential security issues before they become serious threats. This can include isolating compromised resources, revoking access, and deploying patches or updates to address any vulnerabilities.