In this month’s patch Tuesday, Microsoft addressed 63 security vulnerabilities in its software, including three actively exploited in the wild. The flaws range in severity, with three rated as Critical, 56 as Important, and four as Moderate. Notably, two vulnerabilities were already public at the time of the update.
Among the critical vulnerabilities are five zero-days, including a Windows SmartScreen Security Feature Bypass (CVE-2023-36025) and two Windows elevation of privilege vulnerabilities (CVE-2023-36033 and CVE-2023-36036), which could allow attackers to gain SYSTEM privileges.
CVE-2023-36025 marks the third Windows SmartScreen zero-day exploited in 2023. Microsoft has not detailed the attack methods or threat actors involved but notes the potential for these flaws to be used alongside remote code execution bugs.
The U.S. Cyber security and Infrastructure Security Agency (CISA) has urged federal agencies to apply these fixes by December 5, 2023, due to the severity of these issues. Additionally, Microsoft patched critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast, and a heap-based buffer overflow in the curl library.
An Azure CLI information disclosure vulnerability was also addressed, which could expose plaintext passwords and usernames. Microsoft has since hardened Azure CLI against potential secrets exposure.
Lockbit ransomware attacks are exploiting the Citrix Bleed vulnerability (CVE-2023-4966) to infiltrate large organisations, leading to data theft and file encryption. Despite Citrix releasing fixes over a month ago, thousands of endpoints, particularly in the U.S., remain vulnerable. High-profile targets like the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing have been attacked, with the Citrix Bleed flaw being a common factor.
These attacks are believed to be conducted by a LockBit affiliate, capitalizing on this vulnerability for network breaches. LockBit, as a major Ransomware-as-a-Service, allows affiliates significant autonomy in their attack methods. This pattern resembles previous behaviours seen in GandCrab and REvil operations, where affiliates specialized in specific industries or access methods.
Over 10,400 Citrix servers worldwide are still vulnerable to CVE-2023-4966, posing a significant risk. The U.S. leads in the number of vulnerable servers, followed by Germany, China, and the U.K. These unpatched servers, found in critical organizations, create a vast attack surface.
Citrix Bleed, disclosed on October 10, is a critical security issue affecting Citrix NetScaler ADC and Gateway, allowing access to sensitive information. Mandiant reported that hackers began exploiting this flaw in late August. Citrix has urged administrators to secure systems against these low-complexity, no-interaction attacks. A proof-of-concept exploit was released by AssetNote, demonstrating the theft of session tokens.
DP World Plc, a leading global port operator, is grappling with a significant backlog of 30,000 shipping containers at Australian ports following a cyberattack. The hack, which occurred last Friday, led to a shutdown of operations in Melbourne, Sydney, Brisbane, and Fremantle. While partial operations resumed this week, ongoing investigations and network protection measures are expected to cause further disruptions.
The company, managing 40% of Australia's maritime trade, moved only 5,000 containers on Monday, a fraction of the usual daily volume. This setback is compounded by upcoming local strikes, potentially delaying a return to normal operations until next week.
DP World acknowledged that data was stolen in the cyberattack that led to the shutdown of ports nationwide last week. Experts suggest that the breach likely resulted from the company's failure to update the well-known Citrix security vulnerability that was exploited by the Lockbit ransomware gang.
The National Cyber Security Centre (NCSC), in its latest Annual Review, stresses the urgent need for the UK to bolster its cyber defenses, particularly in essential sectors such as water, electricity, communications, transportation, financial networks, and internet services.
This heightened risk landscape is driven by the rise of state-aligned cyber groups, an increase in aggressive cyber activities, and ongoing geopolitical tensions. This past year has seen the emergence of state-aligned cyber actors, often with sympathies towards Russia's actions in Ukraine, posing ideologically driven threats. A notable example is the 'Snake' malware, linked to Russian espionage efforts and the Federal Security Service (FSB), as disclosed by the NCSC.
With the next general election on the horizon, set to occur by January 2025, the NCSC anticipates challenges from advancements in artificial intelligence, including the use of sophisticated language models for creating fake content, the deployment of hyper-realistic bots for spreading disinformation, and the evolution of deepfake campaigns.
The review also addresses threats from China and Russia. China's state-affiliated cyber actors are targeting UK interests with advanced tactics, while Russia remains a formidable global cyber adversary. The NCSC has noted Russia's opportunistic cyber activities in Ukraine and the evolving ransomware threat model, which significantly impacts the UK.
Iran, though less advanced than Russia and China, continues to engage in cyber intrusions for theft and sabotage. The NCSC has issued advisories regarding Iran-affiliated cyber activities targeting vulnerabilities in various sectors, including critical national infrastructure.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Integrity360's flagship conference Security First comes to Stockholm in 2023!
Join leading cybersecurity experts from across the community as we explore the latest threats and industry trends, and learn practical strategies to safeguard your organisation.