Summary Summary Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359.
These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools.

Microsoft Response to Layer 7 Distributed Denial of Service (DDoS) Attacks

Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies.
The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment."
The

Cyber Attack / Ransomware

Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies.

The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment."

The company is urging all its customers to disable all HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 to safeguard their environments while a patch is being prepared to address the weakness.

The revelation comes a week after Progress divulged another set of SQL injection vulnerabilities (CVE-2023-35036) that it said could be weaponized to access the application's database content.

The vulnerabilities join CVE-2023-34362, which was exploited as a zero-day by the Clop ransomware gang in data theft attacks. Kroll said it found evidence that the group, dubbed Lace Tempest by Microsoft, had been testing the exploit as far back as July 2021.

The development also coincides with the Cl0p actors listing the names of 27 companies that it claimed were hacked using the MOVEit Transfer flaw on its darknet leak portal. According to a report from CNN, this also includes multiple U.S. federal agencies such as the Department of Energy.

"The number of potentially breached organizations so far is significantly greater than the initial number named as part of Clop's last MFT exploitation: the Fortra GoAnywhere MFT campaign," ReliaQuest said.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

Censys, a web-based search platform for assessing attack surface for internet-connected devices, said nearly 31% of over 1,400 exposed hosts running MOVEit are in the financial services industry, 16% in healthcare, 9% in information technology, and 8% in government and military sectors. Nearly 80% of the servers are based in the U.S.

Per Kaspersky's analysis of 97 families spread via the malware-as-a-service (MaaS) business model between 2015 and 2022, ransomware leads with a 58% share, followed by information stealers (24%) and botnets, loaders, and backdoors (18%).

"Money is the root of all evil, including cybercrime," the Russian cybersecurity company said, adding the MaaS schemes allow less technically proficient attackers to enter the fray, thereby lowering the bar for carrying out such attacks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-32027

Microsoft OLE DB Remote Code Execution Vulnerability

CVE-2023-32028

CVE-2023-32026

CVE-2023-32025

CVE-2023-29356

Microsoft ODBC and OLE DB Remote Code Execution Vulnerability

CVE-2023-29349

**BOSTON****,** **June 15, 2023** **/PRNewswire/ --** The vulnerability of subdomain takeover in Microsoft Azure continues to pose a threat, with researchers at Keytos discovering approximately 15,000 vulnerable subdomains each month using cryptographic certificates. This relatively common exploit allows cybercriminals to impersonate organizations, launch attacks, and display spam content through legitimate sites. Despite continuous attempts to contact and notify over 1,000 organizations about their domain issues, only 2% have taken action to address the problem.

Subdomain takeover occurs when a domain is left open after deleting an Azure website, providing cybercriminals with a backdoor to create fraudulent sites. These sites appear legitimate since they are hosted on forgotten domains, putting users at risk of credential theft through simple deception. To take preventative measures, Keytos has developed an automated tool called EZMonitor which scans and identifies vulnerable subdomains using certificate transparency logs and checking the availability of Azure-hosted websites. In its first month, EZMonitor identified over 30,000 vulnerable domains, most of which are relatively high-profile organizations that many would think have sophisticated cybersecurity teams within their organizations.

Hardly anyone is aware of the scale and magnitude of this vulnerability. 85% of Fortune 500 companies are currently utilizing Microsoft Azure and are objectively at risk. Microsoft's attempts to address the issue, their solutions like Defender for App Service Dangling DNS detection have not fully resolved the problem, leaving many organizations unknowing vulnerable. Unfortunately, most organizations have not taken the threat seriously, ignoring warnings or only removing the DNS entry without addressing the underlying vulnerability.

These takeovers have severe implications and potential consequences, including the theft of login credentials, legitimizing false information, and distributing malware. End-Users are mostly helpless against these attacks, but they can encourage their organizations to take the issue seriously. Site owners, on the other hand, can take measures to protect themselves. These include implementing certificate transparency monitoring, removing dangling DNS entries, and using Certificate Authority Authorization (CAA) records.

Urgent action is needed to address this critical issue and safeguard domains and users. Keytos' automated scanning tool, EZMonitor, provides an effective means of identifying vulnerable subdomains. It is crucial for organizations to prioritize security and take proactive measures to mitigate this threat.

Want to see if your sites are secure? Keytos offers a free domain scanning tool to examine your organizations' certificates https://portal.ezmonitor.io/

SOURCE Keytos LLC

Keytos Uncovers 15,000 Vulnerable Subdomains per Month in Azure Using Cryptographic Certificates

The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.

Thursday, June 15, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

Talos’ recent blog post on the dangers posed by the newly released “.zip” top-level domain (TLD) recently outlined how threat actors could create real URLs that look like file names and trick users into clicking on their links. .Zip and other TLDs that share characters with filename extensions also opens the door to accidental information leaks.

But these are far from the first TLDs to be problematic for users, especially those who are less educated about the verbiage that makes the internet work as intended.

The same day .zip was released as a TLD for anyone to register, the Internet Corporation for Assigned Names and Numbers (ICANN) also made .mov available as a TLD. The tricks here are obvious — think of someone who would see a file named “WeddingVideo.mov” and just assume it was from their legitimate family member.

(As a side note, I very much want to own jon.dad now, as .dad is also a TLD released in this batch.)

Attackers have long used tricky URLs to lure victims, though. We’ve written several times about how typo-squatted domains are used in cyber attacks. This is when an adversary takes a legitimate URL like twitter.com and uses a slightly modified version to make it just close enough that it looks like the real thing, like tvitter\[.\]com or twltter\[.\]com. And there are a variety of ways any slight DNS misconfiguration (which goes beyond just typing the URL into a browser window) could lead to information leaks or phishing lures.

The ever-present .com is also a common TLD that gets used to stand up legitimate-looking names for actors.

As security researcher and content creator Bobby Rauch pointed out in this recent post on Medium, attackers have used legitimate websites to mask malicious URLs to avoid detection and suspicion from the target.

For example, they can insert the “@” operator in a website URL to send someone to a different website, even though it may look legitimate.

The URL https://google\[.\]com@bing\[.\]com actually takes the user to bing.com even though it looks like it will send them to Google initially. Regardless of the TLD used there, an attacker could leverage it to trick someone who isn’t savvy enough to examine each detail of a URL.

There are other TLDs that could easily be used in convincing phishing emails or lure documents: .media is a long-available TLD that could easily be worked into a seemingly legitimate-looking file, and I’m assuming I wasn’t the only person to ever assume that the .run TLD could double as a file extension for a Mac driver.

There are certain dangers that .zip and .mov URLs pose to users, but we’ve always known that everyone needs to quadruple-check the URL they plan on visiting. The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.

**The one big thing**

June’s Patch Tuesday is the first in a while in which Microsoft’s security updates didn’t include a warning against a zero-day vulnerability. Each of the previous four months included at least one issue that attackers were actively exploited in the wild. Still, Microsoft disclosed almost 70 vulnerabilities across its suite of software and hardware, including several that are “more likely” to be exploited. Cisco Talos specifically discovered two vulnerabilities in Microsoft Excel that the company patched Tuesday. These are important-severity remote code execution vulnerabilities that are triggered if the targeted user opens an attacker-created file.

**Why do I care?**

It’s certainly good news that there are no new zero-days included in this week’s Patch Tuesday — we’ve had enough of those already this year across all software manufacturers. But there are multiple vulnerabilities that are critical and have a very high severity score of 9.8 out of 10 that should be patched immediately.

**So now what?**

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. All Microsoft users should patch immediately or take appropriate mitigation steps as outlined in these advisories. Talos also released several Snort rules that can detect the exploitation of these vulnerabilities or block the attacker from taking malicious actions.

**Top security headlines of the week**

Progress Software released patches for several security vulnerabilities it discovered in its MOVEit file transfer software while researching a high-profile zero-day that has already led to multiple data breaches across the globe. The advisory for the new vulnerabilities states that they “could potentially be used by a bad actor to stage an exploit” but, currently, there is no evidence that they have been exploited in the wild. Security researchers have also published new proof of concept code to exploit CVE-2023-34362, the zero-day in MOVEit, which found that an attacker could exploit the issue to execute remote code on the targeted machine. It previously had only been identified as an SQL injection issue. Attackers have exploited CVE-2023-34362 to steal data from organizations using MOVEit, including the BBC, the Minnesota Department of Education and the Canadian province of Nova Scotia. (SecurityWeek, SC Media)

A group of high-profile American investors is reportedly considering purchasing assets belonging to NSO Group, the Israeli tech firm behind the infamous Pegasus spyware. The potential buyers include a financier who’s long been involved in Hollywood movies and a family member behind the Wrigley’s gum brand. Security experts and journalists have wondered about the financial status of NSO Group after it was added to the U.S. Department of Commerce’s list that bans the U.S. government and American companies from doing business with them. Meanwhile, the NSO Group has also reportedly been paying high-profile lobbying groups in D.C. to try and convince Congress to move the company from the banned list. The materials used by the lobbying groups reportedly state that the NSO Group’s software has a new “human rights governance compliance program.” (The Guardian, Haaretz)

America’s top cybersecurity official warned of the dangers of cyber attacks from Chinese state-sponsored actors, warning that critical infrastructure would become a key target in the event of a military conflict with China. Jen Easterly, speaking at an appearance at the Aspen Institute this week, said that China’s cyber espionage and offensive capabilities are an “epoch-defining threat.” Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said Chinese threat actors were also likely to carry out cyber attacks against American infrastructure, like oil pipelines and electrical grids, should the two countries ever get into a kinetic military conflict. National security experts have long warned about a U.S.-China conflict if China ever invaded Taiwan. "Given the formidable nature of the threat from Chinese state actors, given the size of their capability, given how much resources and effort they're putting into it, it's going to be very, very difficult for us to prevent disruptions from happening," Easterly said. (CNBC, Reuters)

**Can’t get enough Talos?**

*   Talos Takes Ep. #142: Horabot is here to do "horable" things to your email inbox
*   The Need to Know: What does it mean when ransomware actors use “double extortion” tactics?
*   Vulnerability Spotlight: Two remote code execution vulnerabilities disclosed in Microsoft Excel
*   Threat Roundup for June 2 - 9
*   ThreatWise TV: Snort trends

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848  
**MD5:** 8cb26e5b687cafb66e65e4fc71ec4d63  
**Typical Filename:** dattService.exe  
**Claimed Product:** Datto Service Monito  
**Detection Name:** W32.Auto:a8a6d6.in03.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b  
**MD5:** f5e908f1fac5f98ec63e3ec355ef6279  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::tpd

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

Tag

#microsoft