The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
In the April 2023 Patch Tuesday, Microsoft has addressed a total of 97 vulnerabilities, including a critical zero-day vulnerability currently being exploited. Among these, seven vulnerabilities are classified as ‘Critical,’ posing a significant risk for remote code execution.
This month’s update includes a fix for an actively exploited zero-day vulnerability associated with the Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability. By resolving this issue, Microsoft prevents attackers from gaining SYSTEM privileges, the highest user privilege level within Windows.
Additionally, remote code execution vulnerabilities in Microsoft Office, Word, and Publisher have been addressed. These vulnerabilities could be exploited by merely opening malicious documents and are identified as CVE-2023-28285, CVE-2023-28295, CVE-2023-28287, and CVE-2023-28311. Given their potential value in phishing campaigns, threat actors may attempt to find ways to exploit them for malware distribution purposes.
To mitigate potential threats, it is strongly recommended that Microsoft Office users promptly install the latest security updates.
Microsoft OneNote spreading malware
In a recent report, Bleeping Computer has highlighted the growing threat posed by malicious actors who are exploiting Microsoft OneNote file attachments to distribute malware on Windows systems. This latest trend follows Microsoft’s decision to disable macros in Word and Excel documents due to their extensive misuse.
Rather than relying on macros or vulnerabilities, attackers are now using OneNote to create templates that appear as protected documents. The files are disguised with an instruction message to encourage the user to double-click and open the attachment, which triggers the malware.
To prevent this kind of attack, the article recommends that IT professionals block OneNote attachments by blocking the .one file extension at secure mail gateways or servers. However, in situations where this is not possible, the report provides additional advice to help mitigate the risk of an attack.
In conclusion, it is crucial for organisations to stay vigilant against the constantly evolving tactics used by cybercriminals to spread malware. By taking proactive steps to secure their networks and systems, businesses can minimize the risk of falling victim to these kinds of attacks.
3CX Supply Chain Attack leaves millions at risk
The supply chain attack that hit 3CXDesktopApp, a popular voice and video conferencing software, has set off alarm bells among multiple cybersecurity vendors. The attack, which appears to be an active and ongoing one, uses rigged installers of the software to target downstream customers. 3CXDesktopApp boasts of over 12 million users in 190 countries, and among its customers are American Express, BMW, Honda, Ikea, Pepsi, and Toyota, among others.
The threat actor behind the attack registered a massive infrastructure as far back as February 2022, and there are indications that the attack may have started around March 22, 2023. Although the 3CX PBX client is available for multiple platforms, the attacks observed so far are limited to the Windows Electron client (versions 18.12.407 and 18.12.416) and macOS versions of the PBX phone system.
The infection chain exploits the DLL side-loading technique, which loads a rogue DLL (ffmpeg.dll) designed to retrieve an icon file (ICO) payload. The GitHub repository hosting the file has since been taken down. The final payload is an information stealer that can gather system information and sensitive data stored in popular browsers like Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox.
Security researchers have warned that due to the widespread use and importance of 3CXDesktopApp in an organization’s communication system, threat actors can cause significant damage to businesses that use this software. According to Huntress, there are 242,519 publicly exposed 3CX phone management systems. Symantec, in its advisory, said that the information gathered by this malware presumably allowed the attackers to assess whether the victim was a candidate for further compromise.
In response to the attack, 3CX is working on issuing a new build for its desktop app, and the company has recommended customers uninstall and reinstall the app or use the PWA client as a workaround. 3CX has also stated that it is investigating the matter and has identified the issue to be one of the bundled libraries that were compiled into the Windows Electron app via git.