Tactical similarities have been unearthed between the double extortion ransomware group known as Rhysida and Vice Society, including in their targeting of education and healthcare sectors.
"As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest that Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that

Cyber Threat / Ransomware

Tactical similarities have been unearthed between the double extortion ransomware group known as **Rhysida** and **Vice Society**, including in their targeting of education and healthcare sectors.

"As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest that Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that Vice Society operators are now using Rhysida ransomware," Check Point said in a new report.

Vice Society, tracked by Microsoft under the name Storm-0832, has a pattern of employing already existing ransomware binaries that are sold on criminal forums to pull off their attacks. The financially motivated gang has also been observed resorting to pure extortion-themed attacks wherein the data is exfiltrated without encrypting them.

First observed in May 2023, the Rhysida ransomware group is known to rely on phishing attacks and Cobalt Strike to breach targets' networks and deploy their payloads. A majority of its victims are based in the U.S., the U.K., Italy, Spain, and Austria.

Lateral movement is facilitated using remote desktop protocol (RDP) and remote PowerShell sessions, while the ransomware payload is deployed using PsExec. Command-and-control is achieved by means of backdoors like SystemBC and remote management tools such as AnyDesk.

The attack chains are also notable for consistently erasing logs and forensic artifacts to cover their trail and initiating a domain-wide password change to inhibit remediation efforts.

"They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there have been recent attacks against the Healthcare and Public Health (HPH) sector," the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center said in an alert last week.

The latest findings from the Israeli cybersecurity firm have revealed a "clear correlation" between the emergence of Rhysida and the disappearance of Vice Society.

This comprises the use of NTDSUtil, the creation of local firewall rules to enable C2 communications via SystemBC, and the utilization of a commodity tool called PortStarter, which has been linked almost exclusively to Vice Society.

"Ever since Rhysida first appeared, Vice Society has only published two victims," Check Point said. "It's likely that those were performed earlier and were only published in June. Vice Society actors stopped posting on their leak site since June 21, 2023."

The other major indicator is the commonality in their victimology footprints. Both Rhysida and Vice Society have disproportionately targeted the education vertical, accounting for 32% and 35% of the overall distribution, respectively.

"Our analysis of Rhysida ransomware intrusions reveals clear ties between the group and the infamous Vice Society, but it also reveals a grim truth – the TTPs of prolific ransomware actors remain largely unchanged," the company said.

"From the usage of remote management tools such as AnyDesk to the deployment of ransomware through PsExec, threat actors leverage a variety of tools to facilitate such attacks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Report Exposes Vice Society's Collaboration with Rhysida Ransomware

"FFRI yarai", "FFRI yarai Home and Business Edition" and their OEM products handle exceptional conditions improperly, which may lead to denial-of-service (DoS) condition. 
Affected products and versions are as follows: FFRI yarai versions 3.4.0 to 3.4.6 and 3.5.0, FFRI yarai Home and Business Edition version 1.4.0, InfoTrace Mark II Malware Protection (Mark II Zerona) versions 3.0.1 to 3.2.2, Zerona / Zerona PLUS versions 3.2.32 to 3.2.36, ActSecure ? versions 3.4.0 to 3.4.6 and 3.5.0, Dual Safe Powered by FFRI yarai version 1.4.1, EDR Plus Pack (Bundled FFRI yarai versions 3.4.0 to 3.4.6 and 3.5.0), and EDR Plus Pack Cloud (Bundled FFRI yarai versions 3.4.0 to 3.4.6 and 3.5.0).

*   TOP
*   サポート
*   ダウンロード
*   サポートからのお知らせ
*   【重要】Zerona 特定条件下で(マルウェア防御/マルウェア対策)機能が一時停止する脆弱性について

*   印刷する

2023年8月7日

【本アナウンス対象のお客様】

*   InfoTrace Mark IIをご利用で、「マルウェア防御 (Mark II Zerona)」機能をご利用のお客様
*   InfoTrace PLUSをご利用で、Zerona(マルウェア対策)機能をご利用のお客様
*   Zerona / Zerona PLUSをご利用のお客様

Windows Defender連携機能を有効にしている環境で、特定のファイルをMicrosoft Defender  
(旧 Windows Defender)が脅威として検知した際、Zerona側で情報を適切に処理できないことがあり、  
Zeronaの監視機能(エンジン)が最大で15分間停止するサービス運用妨害(DoS)状態となる不具合が確認されました。  
なお、外部からリモート実行されるような問題ではありません。  
また、現時点で、この脆弱性に関連するような製品に対する報告を受けておらず、実際の攻撃も確認されておりません。  
お手数をおかけいたしますが、以下の対策を実施いただきますようお願い申し上げます。

1.  1.対象製品とバージョン
    
    *   InfoTrace Mark II マルウェア防御(Mark II Zerona)V3.0.1からV3.2.2までの各バージョン
    *   InfoTrace PLUS Zerona / Zerona PLUS(マルウェア対策)V3.2.32からV3.2.36までの各バージョン
    
    1.  ※上記の製品・上記のバージョンをご利用の場合でも Microsoft Defender自体を無効化している環境、  
        またはZeronaのWindows Defender連携機能を無効にしていれば影響を受けません。
    
    3.  ※InfoTrace Mark II 証跡ログ(Recorder)におけるWindows Defenderイベントの記録は、  
        この影響を受けません。
    
2.  2.想定される影響  
    特定のファイルをMicrosoft Defenderが脅威として検知した際、その情報によってはZeronaのWindows Defender連携機能が適切に処理できないため、以降のファイルのスキャンなどが一定期間行われなくなる可能性があります。  
    Microsoft Defenderによる検知時のみ発生するため、定義ファイルの更新といった他の挙動では発生しません。  
    また、本脆弱性はZeronaにのみ影響があり、本脆弱性を使って他のアプリケーションに影響を及ぼすことはありません。  
    同様にMicrosoft Defenderの動作には影響はありません。
    
    (CVE-2023-39341)
    
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
    
    基本値: 4.3
    
    CVSS v2 AV:N/AC:M/Au:N/C:N/I:N/A:P
    
    基本値: 4.3
    
3.  3.対策方法  
    
    *   InfoTrace Mark II マルウェア防御(Mark II Zerona)
        
        1.  (1)暫定的な対策  
            Windows Defender連携機能を無効にする。  
            以下、FAQに設定方法を記載しております。  
            FAQ.19575 ZeronaのWindows Defender連携を有効/無効にする方法  
            https://secure.okbiz.okwave.jp/faq-soliton/faq/show/19575  
            ※FAQの参照にはInfoTrace Mark II マルウェア防御(Mark II Zerona)ご契約者様向けのアカウントが必要となります。
        2.  (2)アップデートする  
            2023年8月7日(月)にリリースされたZerona V3.2.4で対応しております。アップデートしていただけますようお願い申し上げます。
        
    *   InfoTrace PLUS Zerona / Zerona PLUS(マルウェア対策)
        
        1.  (1)暫定的な対策  
            Windows Defender連携機能を無効にする。  
            以下、FAQに設定方法を記載しております。  
            FAQ.19575 ZeronaのWindows Defender連携を有効/無効にする方法  
            https://secure.okbiz.okwave.jp/faq-soliton/faq/show/19574  
            ※FAQの参照にはZerona/Zerona PLUSご契約者様向けのアカウントが必要となります。
        2.  (2)アップデートする  
            本対策を実施したアップデートパックのリリースする予定はございますが、販売終了製品であるため、現時点でリリース時期は未定となります。それまでは、暫定的な対策を実施していただけますようお願い申し上げます。
        
    
    用語集
    
    *   **Microsoft Defender(旧 Windows Defender)**  
        マイクロソフト社によって開発されたウイルス対策製品。  
        OS標準の機能で、基本的な機能は追加料金なく使用することが可能です。  
        一般的なウイルス対策製品とは共存できないため、ウイルス対策製品をインストールした際には、自動的に無効化されることがあります。  
        ※Zeronaは共存可能なため無効化はされません。
    *   **Windows Defender 連携機能**  
        Microsoft Defender(旧 Windows Defender)が検出した情報を、Mark II Server あるいは e-Care Manager に通知する機能。
    
    現時点では上記名称ですが、今後、マイクロソフト社の名称変更に従い、弊社側でも機能名が変わることがあります。

CVE-2023-39341: 【重要】Zerona 特定条件下で(マルウェア防御/マルウェア対策)機能が一時停止する脆弱性について | サポート | ソリトンシステムズ

Microsoft Corp. today issued software updates to plug more than 70 security holes in its Windows operating systems and related products, including a patch that addresses multiple zero-day vulnerabilities currently being exploited in the wild.

**Microsoft Corp.** today issued software updates to plug more than 70 security holes in its **Windows** operating systems and related products, including multiple zero-day vulnerabilities currently being exploited in the wild.

Six of the flaws fixed today earned Microsoft’s “critical” rating, meaning malware or miscreants could use them to install software on a vulnerable Windows system without any help from users.

Last month, Microsoft acknowledged a series of zero-day vulnerabilities in a variety of Microsoft products that were discovered and exploited in-the-wild attacks. They were assigned a single placeholder designation of CVE-2023-36884.

**Satnam Narang**, senior staff research engineer at Tenable, said the August patch batch addresses CVE-2023-36884, which involves bypassing the **Windows Search Security** feature.

“Microsoft also released ADV230003, a defense-in-depth update designed to stop the attack chain associated that leads to the exploitation of this CVE,” Narang said. “Given that this has already been successfully exploited in the wild as a zero-day, organizations should prioritize patching this vulnerability and applying the defense-in-depth update as soon as possible.”

Redmond patched another flaw that is already seeing active attacks — CVE-2023-38180 — a weakness in **.NET** and **Visual Studio** that leads to a denial-of-service condition on vulnerable servers.

“Although the attacker would need to be on the same network as the target system, this vulnerability does not require the attacker to have acquired user privileges,” on the target system, wrote **Nikolas Cemerikic**, cyber security engineer at Immersive Labs.

Narang said the software giant also patched six vulnerabilities in **Microsoft Exchange Server**, including CVE-2023-21709, an elevation of privilege flaw that was assigned a CVSSv3 (threat) score of 9.8 out of a possible 10, even though Microsoft rates it as an important flaw, not critical.

“An unauthenticated attacker could exploit this vulnerability by conducting a brute-force attack against valid user accounts,” Narang said. “Despite the high rating, the belief is that brute-force attacks won’t be successful against accounts with strong passwords. However, if weak passwords are in use, this would make brute-force attempts more successful. The remaining five vulnerabilities range from a spoofing flaw and multiple remote code execution bugs, though the most severe of the bunch also require credentials for a valid account.”

Experts at security firm **Automox** called attention to CVE-2023-36910, a remote code execution bug in the Microsoft Message Queuing service that can be exploited remotely and without privileges to execute code on vulnerable Windows 10, 11 and Server 2008-2022 systems. Microsoft says it considers this vulnerability “less likely” to be exploited, and Automox says while the message queuing service is not enabled by default in Windows and is less common today, any device with it enabled is at critical risk.

Separately, **Adobe** has issued a critical security update for Acrobat and Reader that resolves at least 30 security vulnerabilities in those products. Adobe said it is not aware of any exploits in the wild targeting these flaws. The company also issued security updates for **Adobe Commerce** and **Adobe Dimension**.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a fair chance other readers have experienced the same and may chime in here with useful tips.

Additional reading:

**\-SANS Internet Storm Center** listing of each Microsoft vulnerability patched today, indexed by severity and affected component.

–AskWoody.com, which keeps tabs on any developing problems related to the availability or installation of these updates.

Microsoft Patch Tuesday, August 2023 Edition

The only vulnerability Microsoft states is being exploited in the wild is CVE-2023-38180, a denial-of-service vulnerability in .NET and Microsoft Visual Studio.

Tuesday, August 8, 2023 15:08

Microsoft disclosed 73 vulnerabilities across its suite of products and software Tuesday, including six that are considered “critical.”

One of the vulnerabilities, which Microsoft considers to be only of "moderate" severity, has been actively exploited in the wild. The company has had to address many zero-day vulnerabilities in its monthly security updates this year, including four last month and one in May. Microsoft also released an advisory detailing changes to its defense-in-depth model to defend against tactics adversaries are currently using in the wild.

Outside of the six critical issues, two are considered to be of “moderate” severity, while the remainder are listed as “important.”

Two of the critical vulnerabilities lie in Microsoft Teams, the company’s popular collaboration and messaging platform. An attacker could exploit CVE-2023-29328 and CVE-2023-29330 to perform remote code execution in the context of the victim user.

An attacker could exploit these vulnerabilities by tricking the victim into joining an adversary-created Teams meeting.

Three other critical remote code execution vulnerabilities — CVE-2023-35385, CVE-2023-36910 and CVE-2023-36911 — exist in Microsoft’s message queuing service for certain versions of Windows 10, 11 and Windows Server.

Message queuing would need to be manually enabled on a target’s machine for it to be exploitable, according to Microsoft. Users can check to see if they’re vulnerable by checking if there is a service named “Message Queuing” running on their device and if port 1801 is listening on the machine.

The last critical vulnerability included in August’s Patch Tuesday is CVE-2023-36895, a remote code execution vulnerability in Microsoft word. However, it has a relatively low severity score of 7.8 out of 10 for a critical vulnerability.

Microsoft Exchange also contains four remote code execution vulnerabilities, though all are considered “important.”

An authenticated attacker who is on the same intranet as the Exchange Server could achieve remote code execution via a PowerShell remoting session, according to Microsoft, by exploiting CVE-2023-35388, CVE-2023-35368, CVE-2023-38182 and CVE-2023-38185.

An adversary could only exploit the vulnerabilities in Exchange Server if they have valid credentials to log in with LAN access and have access to a valid Exchange user account.

There are also four elevation of privilege issues in the Windows kernel that could allow an adversary to gain SYSTEM-level privileges: CVE-2023-35359, CVE-2023-35380, CVE-2023-35382 and CVE-2023-35386.

Microsoft’s advisories state that these issues are “more likely” to be exploited, though the adversary must first have local access to the targeted machine, and the targeted user needs to be able to create folders and performance traces on the machine, which most users have by default.

Another privilege escalation vulnerability, CVE-2023-36900, exists in the Windows Common Log File System Driver. An attacker could also exploit this vulnerability to gain SYSTEM-level privileges, though they first must be able to log into the targeted system with the privileges of a standard user.

The only vulnerability Microsoft states is being exploited in the wild is CVE-2023-38180, a denial-of-service vulnerability in .NET and Microsoft Visual Studio. Though there are little details available currently about this issue, Microsoft states that the attack complexity is “low” and does not require any user privileges or interaction for an attacker to exploit it.

Talos would also like to highlight five “important” vulnerabilities that Microsoft considers “less likely” to be exploited. However, as these issues exist in the popular Microsoft Office suite of products and could lead to remote code execution, are still worth noting:

*   CVE-2023-35371
*   CVE-2023-35372
*   CVE-2023-36865
*   CVE-2023-36866
*   CVE-2023-36896

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 40689, 40690, 62202, 62203, 62208 - 62211, 62215 and 62216. There are also Snort 3 rules are 300648 - 300650 and 300652.

Six critical vulnerabilities included in August’s Microsoft security update

Microsoft Message Queuing Remote Code Execution Vulnerability

CVE-2023-36911

CVE-2023-35385

Microsoft Message Queuing Information Disclosure Vulnerability

CVE-2023-35383

CVE-2023-36913

Microsoft Message Queuing Denial of Service Vulnerability

Tag

#microsoft