Featured Story
Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days
Microsoft’s May Patch Tuesday update addresses 40 vulnerabilities, including two zero-days. CVE-2023-29336 is an elevation of privilege flaw in the Win32k driver, potentially granting attackers SYSTEM privileges. CVE-2023-24932 is a Secure Boot bypass actively used by the BlackLotus UEFI bootkit to disable defenses at the firmware level.
Additional critical flaws addressed include RCE bugs in Windows Network File System, Pragmatic General Multicast, and OLE. Organizations should carefully review and apply updates after testing.
Although the two zero-days require local or privileged access, they may be combined with remote exploits. We recommend applying all critical updates promptly. Our SOC is available to assist with patch prioritization and system audits to detect signs of exploitation.
Other Stories
Cactus Ransomware Infiltrates Networks by Exploiting VPN Flaws
A new ransomware variant named “Cactus” is using VPN vulnerabilities for initial access and encrypting its binary to avoid detection. It leverages scripts and tools like 7-Zip to obscure the payload and adds a two-stage file extension system (.CTS0 to .CTS1) during encryption.
Detecting ransomware before encryption is key. Focus on detecting lateral movement, privilege escalation, and unusual behavior. Our SOC offers threat hunting and monitoring services to catch attackers earlier in the chain.
Beware of Suspicious Messages Claiming to Be from Your Bank
Safeonweb warns about fake messages from “Service Client” pretending to represent BNP Paribas Fortis. Victims are lured into clicking a link and entering their bank credentials. Nearly 500 reports were filed in one hour alone.
Always navigate to your bank’s official site manually. If you receive suspicious emails or texts, forward them to:
- verdacht@safeonweb.be
- suspect@safeonweb.be
- suspicious@safeonweb.be
Our SOC can support with message verification and incident response if needed.
Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability
Microsoft has confirmed that state-sponsored groups from Iran are actively exploiting the PaperCut MF/NG flaw (CVE-2023-27350). These groups, including Mint Sandstorm and Mango Sandstorm, are targeting governments, critical infrastructure, and NGOs.
This vulnerability was covered in our Week 18 digest and has since been weaponized. Organizations should ensure PaperCut updates are applied immediately. Our SOC can assist in patch validation and compromise assessment.
Babuk Source Code Sparks 9 Ransomware Strains Targeting VMware ESXi
The leak of Babuk ransomware source code in 2021 continues to fuel the creation of new ESXi-targeting ransomware families. At least nine variants now exist, including Cylance, Rorschach (BabLock), RTM Locker, and others focused on Linux and ESXi platforms.
ESXi environments are a high-value target due to their density. Implement segmentation, limit access to management interfaces, and monitor for suspicious admin actions. Our SOC can assist with hypervisor protection strategies and incident response.
