HTG Threat Report

Threat Report 6/21/24

Written by Evan Kennedy | Jun 21, 2024 1:37:47 PM
Critical Patches Issued for Microsoft Products  
      

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights. 


Affected Systems:

  • Visual Studio 

     

  • Windows Server Service 

     

  • Windows Distributed File System (DFS) 

     

  • Windows Kernel 

     

  • Windows Themes 

     

  • Winlogon 

     

  • Windows Remote Access Connection Manager 

     

  • Windows DHCP Server 

     

  • Windows Event Logging Service 

     

  • Windows Link Layer Topology Discovery Protocol 

     

  • Windows Container Manager Service 

     

  • Microsoft WDAC OLE DB provider for SQL 

     

  • Windows Wi-Fi Driver 

     

  • Windows Win32K - GRFX 

     

  • Windows Standards-Based Storage Management Service 

     

  • Windows Kernel-Mode Drivers 

     

  • Windows Cloud Files Mini Filter Driver 

     

  • Windows Win32 Kernel Subsystem 

     

  • Windows NT OS Kernel 

     

  • Microsoft Streaming Service 

     

  • Windows Storage 

     

  • Windows Routing and Remote Access Service (RRAS) 

     

  • Windows Cryptographic Services 

     

  • Microsoft Windows Speech 

     

  • Microsoft Office SharePoint 

     

  • Microsoft Office 

     

  • Microsoft Office Word 

     

  • Microsoft Office Outlook 

     

  • Dynamics Business Central 

     

  • Azure Storage Library 

     

  • Azure File Sync 

     

  • Azure Monitor 

     

  • Azure SDK 

     

  • Microsoft Dynamics 

     

  • Windows Perception Service 

     

  • Azure Data Science Virtual Machines 


Risk

  • Large and medium business entities: High
  • Small business entities: Medium

 

Remediation Recommendations

  • Ensure all Microsoft products have the latest version(s) installed
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 
 

References

 
Multiple Vulnerabilities in VMware Products
Could Allow for Remote Code Execution
 
         

Multiple vulnerabilities have been discovered in VMware vCenter Server and Cloud Foundation, the most severe of which could allow for remote code execution. VMware vCenter Server is the centralized management utility for VMware. VMware Cloud Foundation is a multi-cloud platform that provides a full-stack hyper-converged infrastructure (HCI) that is made for modernizing data centers and deploying modern container-based applications. Successful exploitation of these vulnerabilities could allow for remote code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 

 

Affected Systems:

  • VMware vCenter Server versions prior to 8.0 U2d 

     

  • VMware vCenter Server versions prior to 8.0 U1e 

     

  • VMware vCenter Server versions prior to 7.0 U3r 

     

  • VMware Cloud Foundation (VMware vCenter Server) versions prior to KB88287 

Risk

  • Large and medium business entities: High
  • Small business entities: Medium

 

Remediation Recommendations

  • Ensure all devices utilizing VMware has the latest version(s) installed 
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 

References

 
A Vulnerability in Adobe Products
Could
Allow for Arbitrary Code Execution
  
 

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

 

Affected Systems:

  • Adobe Photoshop 2023 24.7.3 and earlier versions for Windows and macOS 

     

  • Adobe Photoshop 2024 24.7 and earlier versions for Windows and macOS 

     

  • Adobe Experience Manager (AEM) 6.5.20 and earlier versions 

     

  • Adobe Audition 24.2 and earlier versions for Windows and macOS 

     

  • Adobe Audition 23.6.4 and earlier versions for Windows and macOS 

     

  • Adobe Media Encoder 24.3 and earlier versions for Windows and macOS 

     

  • Adobe Media Encoder 23.6.5 and earlier versions for Windows and macOS 

     

  • Adobe FrameMaker Publishing Server 2022.2 and earlier versions for Windows 

     

  • Adobe FrameMaker Publishing Server 2020 Update 3 and earlier versions for Windows 

     

  • Adobe Commerce 2.4.7 and earlier 

     

  • Adobe Commerce 2.4.6-p5 and earlier 

     

  • Adobe Commerce 2.4.5-p7 and earlier 

     

  • Adobe Commerce 2.4.4-p8 and earlier 

     

  • Adobe Commerce 2.4.3-ext-7 and earlier* 

     

  • Adobe Commerce 2.4.2-ext-7 and earlier* 

     

  • Adobe Commerce 2.4.1-ext-7 and earlier* 

     

  • Adobe Commerce 2.4.0-ext-7 and earlier* 

     

  • Adobe Commerce 2.3.7-p4-ext-7 and earlier* 

     

  • Adobe Commerce Webhooks Plugin 1.2.0 to 1.4.0 

     

  • Magento Open Source 2.4.7 and earlier 

     

  • Magento Open Source 2.4.6-p5 and earlier 

     

  • Magento Open Source 2.4.5-p7 and earlier 

     

  • Magento Open Source 2.4.4-p8 and earlier 

     

  • ColdFusion 2023 Update 8 

     

  • ColdFusion 2021 Update 14 

     

  • Adobe Substance 3D Stager 3.0.2 for Windows and macOS 

     

  • Creative Cloud Desktop Application 6.2.0.554 for Windows 

     

  • Acrobat Android 24.4.2.33155 and earlier versions for all android versions 

Risk

  • Large and medium business entities: High
  • Small business entities: Medium

Remediation Recommendations

  • Ensure all devices utilizing the above software have the latest version installed 
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 

References


 
Whistleblower Claims That Microsoft
Prioritized Profit Over Security
 

 

ProPublica has published areportoutlining claims by former Microsoft employee Andrew Harris that Microsoft prioritized profit over security, leaving the US government open to the 2020 SolarWinds attack. Harris says he uncovered a severe flaw in Microsoft's Active Directory Federation Services (AD FS) that allowed attackers to forge Security Assertion Markup Language (SAML) tokens. The Russian state-sponsored threat actor behind the SolarWinds hack exploited the flaw discovered by Harris to breach several US Federal agencies, including the National Nuclear Security Administration and the National Institutes of Health. 

Harris says he urged Microsoft for years to apply a temporary fix by disabling single-sign-on (SSO), but the company declined in order to pursue a long-term alternative. ProPublica states that at the time, "The federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing." 


 
New Malware Uses Emoji-Based Command Protocol
 

Volexitysaysthe Pakistan-aligned threat actor UTA0137 is targeting Indian government entities with a new strain of Linux malware dubbed "DISGOMOJI." Notably, the malware uses an emoji-based protocol to receive commands from Discord. For example, a "Man Running" emoji is sent to run a command, while a camera emoji is used to take a screenshot. 

The researchers note, "The use of Linux malware for initial access paired with decoy documents (suggesting a phishing context) is uncommon, as the attacker would only do this if they know the target is a Linux desktop user. Volexity assesses it is highly likely this campaign, and the malware used, is targeted specifically towards government entities in India, who use a custom Linux distribution named BOSS as their daily desktop."