Microsoft Tackles 63 Security Flaws, Including Actively Exploited Vulnerabilities
In this month’s patch Tuesday, Microsoft addressed 63 security vulnerabilities in its software, including three actively exploited in the wild. The flaws range in severity, with three rated as Critical, 56 as Important, and four as Moderate. Notably, two vulnerabilities were already public at the time of the update.
Among the critical vulnerabilities are five zero-days, including a Windows SmartScreen Security Feature Bypass (CVE-2023-36025) and two Windows elevation of privilege vulnerabilities (CVE-2023-36033 and CVE-2023-36036), which could allow attackers to gain SYSTEM privileges.
CVE-2023-36025 marks the third Windows SmartScreen zero-day exploited in 2023. Microsoft has not detailed the attack methods or threat actors involved but notes the potential for these flaws to be used alongside remote code execution bugs.
The U.S. Cyber security and Infrastructure Security Agency (CISA) has urged federal agencies to apply these fixes by December 5, 2023, due to the severity of these issues. Additionally, Microsoft patched critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast, and a heap-based buffer overflow in the curl library.
An Azure CLI information disclosure vulnerability was also addressed, which could expose plaintext passwords and usernames. Microsoft has since hardened Azure CLI against potential secrets exposure.
Lockbit Ransomware Exploits Citrix Bleed Vulnerability in Global Attacks
Lockbit ransomware attacks are exploiting the Citrix Bleed vulnerability (CVE-2023-4966) to infiltrate large organisations, leading to data theft and file encryption. Despite Citrix releasing fixes over a month ago, thousands of endpoints, particularly in the U.S., remain vulnerable. High-profile targets like the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing have been attacked, with the Citrix Bleed flaw being a common factor.
These attacks are believed to be conducted by a LockBit affiliate, capitalizing on this vulnerability for network breaches. LockBit, as a major Ransomware-as-a-Service, allows affiliates significant autonomy in their attack methods. This pattern resembles previous behaviours seen in GandCrab and REvil operations, where affiliates specialized in specific industries or access methods.
Over 10,400 Citrix servers worldwide are still vulnerable to CVE-2023-4966, posing a significant risk. The U.S. leads in the number of vulnerable servers, followed by Germany, China, and the U.K. These unpatched servers, found in critical organizations, create a vast attack surface.
Citrix Bleed, disclosed on October 10, is a critical security issue affecting Citrix NetScaler ADC and Gateway, allowing access to sensitive information. Mandiant reported that hackers began exploiting this flaw in late August. Citrix has urged administrators to secure systems against these low-complexity, no-interaction attacks. A proof-of-concept exploit was released by AssetNote, demonstrating the theft of session tokens.
DP World cyber attack result of failure to patch well known vulnerability
DP World Plc, a leading global port operator, is grappling with a significant backlog of 30,000 shipping containers at Australian ports following a cyberattack. The hack, which occurred last Friday, led to a shutdown of operations in Melbourne, Sydney, Brisbane, and Fremantle. While partial operations resumed this week, ongoing investigations and network protection measures are expected to cause further disruptions.
The company, managing 40% of Australia's maritime trade, moved only 5,000 containers on Monday, a fraction of the usual daily volume. This setback is compounded by upcoming local strikes, potentially delaying a return to normal operations until next week.
DP World acknowledged that data was stolen in the cyberattack that led to the shutdown of ports nationwide last week. Experts suggest that the breach likely resulted from the company's failure to update the well-known Citrix security vulnerability that was exploited by the Lockbit ransomware gang.
NCSC Warns of Persistent, Significant Threats to UK National Infrastructure
The National Cyber Security Centre (NCSC), in its latest Annual Review, stresses the urgent need for the UK to bolster its cyber defenses, particularly in essential sectors such as water, electricity, communications, transportation, financial networks, and internet services.
This heightened risk landscape is driven by the rise of state-aligned cyber groups, an increase in aggressive cyber activities, and ongoing geopolitical tensions. This past year has seen the emergence of state-aligned cyber actors, often with sympathies towards Russia's actions in Ukraine, posing ideologically driven threats. A notable example is the 'Snake' malware, linked to Russian espionage efforts and the Federal Security Service (FSB), as disclosed by the NCSC.
With the next general election on the horizon, set to occur by January 2025, the NCSC anticipates challenges from advancements in artificial intelligence, including the use of sophisticated language models for creating fake content, the deployment of hyper-realistic bots for spreading disinformation, and the evolution of deepfake campaigns.
The review also addresses threats from China and Russia. China's state-affiliated cyber actors are targeting UK interests with advanced tactics, while Russia remains a formidable global cyber adversary. The NCSC has noted Russia's opportunistic cyber activities in Ukraine and the evolving ransomware threat model, which significantly impacts the UK.
Iran, though less advanced than Russia and China, continues to engage in cyber intrusions for theft and sabotage. The NCSC has issued advisories regarding Iran-affiliated cyber activities targeting vulnerabilities in various sectors, including critical national infrastructure.
