Microsoft Patch Tuesday Januray 2024 Patches 48 Vulnerabilities (2 Critical, 46 Important)
Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and hold security fixes for Microsoft devices and software. This month’s release covers thirty-four Microsoft vulnerabilities. Two vulnerabilities are marked as critical and forty-six as important.
Analysis from our SOC team
We follow the CCB’s recommendations to upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Contact our SOC if advice, guidance or help is needed related to patching, mitigation, detection, monitoring, or incident response
Ivanti Connect Secure, formerly recognized as Pulse Connect Secure or simply Pulse Secure, functions as a VPN SSL solution. On the other hand, Ivanti Policy Secure serves as a NAC solution.
CVE-2023-46805 & CVE-2024-21887 affect all supported versions, and it is probable that End-of-Life (EOL) versions are also susceptible.
CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure which allows a remote attacker to access restricted resources by bypassing control checks.
CVE-2024-21887 is a command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. CVE-2024-21887 can be exploited over the internet.
Combining both vulnerabilities results in an exploit chain which allows an unauthenticated remote attacker to inject arbitrary commands on these appliances.
Ivanti indicates this exploit chain is exploited in the wild. This is confirmed by public reports. Follow-up activity includes further lateral movement to the internal network, credential harvesting, …
As of now, the vendor has not released a patch for the vulnerabilities. The initial patches are expected to be released during the week of January 22, 2024.
Ivanti indicates CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing mitigation.release.20240107.1.xml file via the download portal. Please note this mitigation impacts or degrades several features.
Analysis from our SOC team
We follow the CCB’s recommendations to patch (when available), mitigate and monitor/detect.
In some documented cases the threat actor wiped the device logs and disabled logging. Please ensure logging, both local and remote, are still enabled.
Ivanti has seen evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT). Out of an abundance of caution, Ivanti recommends that all customers run the external ICT. Ivanti regularly provides updates to the external and internal ICT, so ensure you are running the latest version of each.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
First known exploitation at the time of publication dates from 2023-12-03.
Contact our SOC if advice, guidance or help is needed related to patching, mitigation, detection, monitoring, or incident response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The issue, tracked as CVE-2023-29357 (CVSS score: 9.8), is a privilege escalation flaw that could be exploited by an attacker to gain administrator privileges. Microsoft released patches for the bug as part of its June 2023 Patch Tuesday updates.
Additional specifics of the real-world exploitation of CVE-2023–29357 and the identity of the threat actors that may be abusing them are presently unknown. That said, federal agencies are recommended to apply the patches by January 31, 2024, to secure against the active threat.
Analysis from our SOC team
Again we would like to put emphasis on the recommendations made in the articles above. Patch, mitigate, monitor/detect.
As the patch for the exploited vulnerability was released more than 6 months ago, it shows the importance of timely patching devices.
Contact our SOC by replying to this email if advice, guidance or help is needed related to patching, mitigation, detection, monitoring, or incident response
A threat actor associated with Black Basta ransomware attacks has been wielding a new loader similar to the notoriously hard-to-kill Qakbot, in a widespread phishing campaign aimed at gaining entry to organization networks for further malicious activity.
Tracked as Water Curupira by Trend Micro, the actor is best known for conducting dangerous campaigns to drop backdoors such as Cobalt Strike that ultimately lead to Black Basta ransomware attacks, researchers said in a post published Jan. 9.
Water Curupira was active in the first quarter of 2023, then appeared to take a break the end of June that lasted until the start of September, when campaigns started in earnest again, according to Trend Micro. Recently, the actor has conducted phishing campaigns that drop a new loader, Pikabot — which has similarities to and could even be a replacement for Qakbot, an initial access Trojan which often preceded Black Basta ransomware and was taken down in a law-enforcement operation called Operation Duck Hunt in August 2023.
Analysis from our SOC team
It’s important to stay vigilant when it comes to threats to your organisation. Cybercriminals adapt and change their tactics and malware whenever it’s needed, which is what we can see explained in this article as well.
As the malware delivery in this case is exclusively attempted via mail, it’s important to have a good mail protection solution, employees that are aware of the different kind of email threats and how to handle them as well as a point of contact to report suspicious mails to.
Defense in layers is an absolute necessity to increase the ability to protect against various threats.
Don’t hesitate to contact our SOC if you need an assessment of your web protection solution, awareness training or if you want to offload triage of reported suspicious emails.
Safeonweb received as many as 3 459 reports of fake messages with the message: ‘Federal fine’ last week. The attachment in the email contains a document (Strafvordering.pdf) that appears to be from Europol. This message is not from a police force. It is an attempted scam.
You are allegedly summoned in connection with moral offences and urged to contact an official urgently.
The message comes across as very weighty and compelling. The intention is to scare you and extort money from you. This type of scam is not new, but it continues to circulate persistently and scares a lot of people.
Analysis from our SOC team
The tips described in the article is what we would like to emphasize on as well.
– Do not open the attachment.
– Do not reply or contact the person mentioned in the message
– Mark the message as SPAM or unwanted.
– Block the sender.
– Delete the message.
Suspicious messages can be forwarded to any of the three email addresses from Safeonweb.
– verdacht@safeonweb.be
– suspect@safeonweb.be
– suspicious@safeonweb.be
Our SOC is always available to assist in case there are any doubts or suspicions about text or mail messages.
