The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
In its May 2023 Patch Tuesday updates, Microsoft has addressed 38 security vulnerabilities, including a zero-day bug under active exploitation. Of these, 6 have been classified as Critical, 32 as Important, with 8 marked as “More Likely to be Exploited.”
Additionally, since the beginning of May, Microsoft has rectified 18 flaws in its Chromium-based Edge browser, post the April Patch Tuesday updates.
Most notable among the vulnerabilities is the privilege escalation issue in Win32k, identified as CVE-2023-29336 (CVSS score: 7.8).
Two public vulnerabilities were also addressed, a critical remote code execution flaw in Windows OLE (CVE-2023-29325, CVSS score: 8.1), and a bypass of the Secure Boot security feature (CVE-2023-24932, CVSS score: 6.7). The former could be exploited by sending a specially crafted email, with Microsoft recommending reading emails in plain text format as a mitigation strategy. The latter vulnerability, exploited by the BlackLotus UEFI bootkit, allows an attacker to execute self-signed code at the UEFI level while Secure Boot is enabled, if they have physical access or local admin privileges on the targeted device.
Newly Uncovered Weakness in Widely-Used WordPress Plugin Puts Over 2 Million Websites at Risk
In an important update, owners of the Advanced Custom Fields (ACF) plugin for WordPress are strongly advised to upgrade to version 6.1.6, in light of the recent discovery of a significant security vulnerability. This weakness, labeled CVE-2023-30777, is a form of reflected cross-site scripting (XSS) that can potentially be manipulated to insert arbitrary executable scripts into otherwise safe websites. This popular plugin, offering both free and pro versions, boasts over two million active users.
Reflected XSS threats typically manifest when unsuspecting victims are lured into clicking a deceptive link delivered via email or another medium, which in turn directs the harmful code to the susceptible website, reflecting the attack back to the user’s browser. This exploit relies on an element of social engineering, making reflected XSS not as wide-reaching or scalable as stored XSS attacks. Consequently, threat actors attempt to disseminate the damaging link to as many potential victims as possible.
These types of attacks are usually a consequence of inadequate sanitation of incoming requests, enabling the manipulation of web application functionalities and the triggering of harmful scripts. Of particular interest is the fact that CVE-2023-30777 can be triggered on a default installation or configuration of Advanced Custom Fields. Furthermore, it can also be activated by logged-in users who have access to the plugin.
This revelation follows closely on the heels of Craft CMS patching two moderate-risk XSS vulnerabilities (CVE-2023-30177 and CVE-2023-31144), which could be leveraged by a threat actor to deliver harmful payloads. Additionally, another XSS vulnerability has been disclosed in the cPanel product (CVE-2023-29489, CVSS score: 6.1) that can be exploited without any necessary authentication to execute arbitrary JavaScript.
CACTUS, The New Ransomware Exploiting VPN Weaknesses
Cybersecurity investigators have recently identified a novel ransomware variant, CACTUS, which capitalizes on known vulnerabilities in VPN appliances to gain initial access to target networks. Once inside, CACTUS operators systematically enumerate local and network user accounts and accessible endpoints, subsequently creating new user accounts and employing proprietary scripts to automate the ransomware encryptor’s deployment via scheduled tasks.
From March 2023, CACTUS has been observed targeting major commercial entities, utilizing double extortion methods to exfiltrate sensitive data before encryption. However, no data leak sites have been identified so far.
Following successful exploitation of vulnerable VPN devices, the operators establish an SSH backdoor for persistent access and execute a series of PowerShell commands for network scanning and encryption-target identification.
CACTUS operations also employ Cobalt Strike and a tunneling tool named Chisel for command-and-control, in conjunction with remote monitoring and management (RMM) software like AnyDesk for file transfers to infected hosts. They also disable security solutions, extract credentials from web browsers and the Local Security Authority Subsystem Service (LSASS) for privilege escalation, and conduct lateral movement, data exfiltration, and ransomware deployment.
A unique trait of CACTUS is its use of a batch script for extracting the ransomware binary using 7-Zip and deleting the .7z archive prior to payload execution. This illustrates that threat actors persist in exploiting remote access services and unpatched vulnerabilities for initial breach, emphasizing the importance of maintaining up-to-date security measures.
