17th March, 2023
Microsoft Rolls Out Patches for 80 New Security Flaws
Microsoft's March 2023 Patch Tuesday update includes fixes for 80 security flaws, with two of them actively exploited in the wild. Eight bugs are considered critical, 71 important, and one moderate. The flaws fixed include a Microsoft Outlook privilege escalation flaw and a Windows SmartScreen security feature bypass. Microsoft also closed out several critical remote code execution flaws impacting HTTP Protocol Stack, Internet Control Message Protocol, and Remote Procedure Call Runtime. Other notable mentions include patches for four privilege escalation bugs identified in the Windows Kernel, 10 remote code execution flaws affecting Microsoft PostScript and PCL6 Class Printer Driver, and a WebView2 spoofing vulnerability in the Edge browser.
Critical Microsoft Outlook Bug Patched
Microsoft has patched a critical Microsoft Outlook vulnerability for Windows (CVE-2023-23397) which allowed hackers to remotely steal hashed passwords by simply receiving an email. The issue is a privilege escalation vulnerability with a 9.8 severity rating that affects all versions of Microsoft Outlook on Windows and attackers can use it to steal NTLM credentials by simply sending the target a malicious email. No user interaction is needed as exploitation occurs when Outlook is open and a reminder is triggered on the system. The vulnerability was found and reported to Microsoft by Ukraine’s Computer Emergency Response Team (CERT-UA), likely after seeing it used in attacks targeting its services.
YoroTrooper Stealing Credentials and Information from Government and Energy Organizations
A new cyber espionage campaign called YoroTrooper has been targeting government, energy, and international organizations in Europe since at least June 2022. The threat actor is believed to be Russian-speaking and has targeted countries including Azerbaijan, Tajikistan, Kyrgyzstan, Turkmenistan, and other Commonwealth of Independent States (CIS) nations. YoroTrooper uses a combination of commodity and open-source stealer malware and spear-phishing techniques to deliver custom stealers that use Telegram as an exfiltration channel. The campaign has evolved to include Python-based malware, indicating an increase in efforts by the threat actor. YoroTrooper has exhibited tactical overlaps with the PoetRAT team that targeted Azerbaijan in 2020.
New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide
The Prometei botnet malware has infected over 10,000 systems worldwide since November 2022, with victims primarily in Brazil, Indonesia, and Turkey. The modular botnet mines cryptocurrency and harvests credentials for financial gain. The latest variant, Prometei v3, features a domain generation algorithm for its command-and-control infrastructure, a self-update mechanism, and an expanded set of commands to harvest sensitive data. The malware avoids striking Russia, suggesting that the threat actors behind the operation are likely based in the country. The botnet's spreader programs propagate the malware through RDP, SSH, and SMB.
Fake ChatGPT Chrome Extension Hijacking Facebook Accounts for Malicious Advertising
A fake Chrome browser extension branded as ChatGPT has been found to hijack Facebook accounts and create rogue admin accounts. The malware uses bogus Facebook applications to harvest cookies and Facebook account data and gain control of target profiles. The hijacked accounts are then used to advertise the malware, expanding the collection of compromised accounts. The extension was promoted through Facebook-sponsored posts and had 2,000 installations per day before being removed from the Chrome Web Store. Threat actors are capitalizing on the popularity of OpenAI's ChatGPT to create fake versions of the chatbot and trick users into installing them.