Critical Patches Issued for Microsoft ProductS
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Affected Systems:
- Many popular Microsoft products including, but not limited to, Windows, Office, and Edge.
Risk
- Large and medium business entities: High
- Small business entities: Medium
Remediation Recommendations
References
Multiple Vulnerabilities in Google Chrome
Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Affected Systems:
- Chrome prior to 133.0.6943.98/.99 for Windows and Mac
- Chrome prior to 133.0.6943.98 for Linux
- Large and medium business entities: High
- Small business entities: Medium
Remediation Recommendations
References
New mac OS Malware Delivered via Web Injects
Proofpoint is tracking a new strain of macOS malware dubbed "FrigidStealer" distributed via web inject campaigns. The malware is designed to steal sensitive information, including passwords, browser cookies, and files related to cryptocurrency.
The researchers explain, "Typically, an attack chain will consist of three parts: the malicious injects served to website visitors, which are often malicious JavaScript scripts; a traffic distribution service (TDS) responsible for determining what user gets which payload based on a variety of filtering options; and the ultimate payload that is downloaded by the script. Sometimes each part of the attack chain is managed by the same threat actor, but frequently the different parts of the chain may be managed by different threat actors."
In this case, the compromised websites inform visitors that they must update their browsers before continuing. If the user clicks the "Update now" button, the threat actor's TDS will download a DMG file. Proofpoint says, "Right clicking and selecting Open bypassed the MacOS security feature called Gatekeeper, which would otherwise warn the user that the application is unsigned and untrusted. (This is a very common technique used by Mac malware authors to effectively run malware on a host.) Clicking Open ran the embedded Mach-O executable, which led to the installation of FrigidStealer."
SonicWall Authentication Flaw Could be Actively Exploited
Security researchers warn a critical vulnerability in SonicWall’s SonicOS is under active exploitation. The flaw, listed as CVE-2024-53704, is an improper authentication vulnerability in the SSL VPN mechanism, which can allow a remote actor to bypass authentication. Bishop Fox researchers released technical details showing how attackers can hijack active SSL VPN sessions and gain unauthorized access to a network. According to Bishop Fox, an attacker can read a user’s Virtual Office bookmarks, get a client configuration profile for NetExtender, access private networks and conduct other activities. SonicWall patched the vulnerability after researchers from Computest Security disclosed the flaw.
Russian Threat Actors Target Microsoft 365 Accounts
Volexity and Microsoft have published reports warning that multiple Russian threat actors are launching spearphishing attacks designed to compromise Microsoft 365 accounts. The threat actors are impersonating individuals from the US State Department, the Ukrainian Ministry of Defence, the European Union Parliament, and prominent research institutions. Volexity attributes the campaigns to at least three different Russian groups, including CozyLarch (which overlaps with Cozy Bear). Microsoft describes attacks from a Russian threat actor the company tracks as "Storm-2372."
Notably, the attacks involve a lesser-known technique called "device code phishing," in which users are tricked into granting access via the Microsoft Device Code OAuth workflow. Microsoft explains, "In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors."
Volexity says "this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns."
