Patch Tuesday overview.

FortiNet released 21 vulnerability advisories, Siemens and Schneider Electric patched 38 vulnerabilities, Adobe patches 56 vulnerabilities, Apple and Microsoft rolled out their latest security updates, and CISA has issued another round of advisories. 

Siemens and Schneider Electric patch security. 

SecurityWeek wrote on Patch Tuesday itself (April 11th) Siemens and Schnieder electric patch 38 vulnerabilities with Siemens patching “CVE-2023-28489, a critical vulnerability affecting Sicam A8000 series remote terminal units (RTUs), which are designed for telecontrol and automation in the energy supply sector.” and Schneider Electric released an advisory that “covers two critical and one-high severity vulnerabilities affecting APC and Schneider-branded Easy UPS online monitoring software.” It also reported on Adobe patches “for at least 56 security vulnerabilities in a wide range of products, some serious enough to expose Windows and macOS users to code execution attacks.” It listed that the patches affect critical level security flaws in Adobe Acrobat and Reader software, critical vulnerabilities in Adobe Digital Editions and Adobe inCopy, and 14 issues in Adobe Substance 3D Stager.

CISA releases vulnerability advisories. 

CISA released two industrial control systems advisories for FANUC ROBOGUIDE-HandlingPRO and Mitsubishi Electric Factory Automation Engineering Products, and a Fortinet vulnerability advisory explaining that “An attacker could exploit one of these vulnerabilities to take control of an affected system.” It also sent out alerts for three Mozilla security advisories regarding vulnerabilities fixed.

SAP security patches.

Onapsis reported on 24 SAP security patches writing “SAP Business Client now supports Chromium version 111.0.5563.65 which fixes seventy-one vulnerabilities in total, including two Critical and thirty-two High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities is 8.8.” The critical vulnerabilities are CVE-2023-27497 which affects Windows, and CVE-2023-27267 which affects all OSs running SAP. Onapsis recommends applying the patch immediately as “the vulnerability puts the complete SAP system landscape at high risk.”

21 FortiNet security advisories.

Lastly, FortiNet released 21 vulnerability advisories for various software across Windows and Mac platforms. Of the vulnerabilities, one is rated critical, and nine are rated high on the Common Vulnerability Scoring System. The critical rated vulnerability is “Unpassworded remotely accessible Redis & MongoDB” which FortiNet writes affects FortiPresence 1.2, FortiPresence 1.1 and FortiPresence 1.0. 

Common cyber criminals are using zero days now. 

CyberScoop reported that a recently discovered zero day has been patched by Microsoft on Tuesday. CyberScoop cites Boris Larin as writing “The use of a previously unknown software vulnerability is notable because zero-days had been primarily deployed by skilled nation-state threat groups,… cybercriminals (now) have the resources to acquire zero-days and routinely use them in attacks.” Microsoft assigned the vulnerability as CVE-2023-28252.

Microsoft security update.

Microsoft itself released a myriad of patches and security updates as noted in its “April 2023 Security Updates” post. It writes that “The new Hotpatching feature is now generally available.” adding “Hotpatching is a new way to install updates on supported Windows Server Azure Edition virtual machines (VMs) that doesn’t require a reboot after installation.” Microsoft continued by adding “In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.” Lastly Microsoft noted that users utilizing Windows 7, Windows 2008 R2, or Windows Server 2008 need to buy the Extended Security Update to receive security updates. 

Adam Barnett, Lead Software Engineer at Rapid7, wrote to offer some perspective on Microsoft's patching:

"Microsoft is offering fixes for 114 vulnerabilities for April 2023 Patch Tuesday. This month’s haul includes a single zero-day vulnerability, as well as seven critical Remote Code Execution (RCE) vulnerabilities. There is a strong focus on fixes for Windows OS this month.

"Over the last 18 months or so, Rapid7 has written several times about the prevalence of driver-based attacks. This month's sole zero-day vulnerability – a driver-based elevation of privilege – will only reinforce the popularity of the vector among threat actors. Successful exploitation of CVE-2023-28252 allows an attacker to obtain SYSTEM privileges via a vulnerability in the Windows Common Log File System (CLFS) driver. Microsoft has patched more than one similar CLFS driver vulnerability over the past year, including CVE-2023-23376 in February 2023 and CVE-2022-37969 in September 2022.

"Microsoft has released patches for the zero-day vulnerability CVE-2023-28252 for all current versions of Windows. Microsoft is not aware of public disclosure, but has detected in-the-wild exploitation and is aware of functional exploit code. The assigned base CVSSv3 score of 7.8 lands this vulnerability near the top of the High severity range, which is expected since it gives complete control of an asset, but a remote attacker must first find some other method to access the target.

"April 2023 also sees 45 separate Remote Code Execution (RCE) vulnerabilities patched, which is a significant uptick from the average of 33 per month over the past three months. Microsoft rates seven of this month’s RCE vulnerabilities as Critical, including two related vulnerabilities with a CVSSv3 base score of 9.8. CVE-2023-28250 describes a vulnerability in Windows Pragmatic General Multicast (PGM) which allows an attacker to achieve RCE by sending a specially crafted file over the network. CVE-2023-21554 allows an attacker to achieve RCE by sending a specially crafted Microsoft Messaging Queue packet. In both cases, the Microsoft Message Queueing Service must be enabled and listening on port 1801 for an asset to be vulnerable. The Message Queueing Service is not typically installed by default."

(Added, 4:15 PM ET, April 12th, 2023. we received two comments specifically addressing Microsoft's fix for CVE-2023-28252, a vulnerability that had been exploited in ransomware attacks. Christopher Peacock, Principal Detection Engineer at SCYTHE, wrote,“This type of activity proves ransomware actors can develop or procure unknown exploits. A zero-day makes placing one piece of a puzzle easier for the adversary and more complicated for defenders to detect. It's, therefore, necessary for organizations to have holistic defense in depth for all the pieces in the puzzle.” And Jan Lovmand, CTO of BullWall, commented on the speed with which such exploitation is accomplished. “Cybercriminals are quicker to exploit zero day vulnerabilities than companies are at deploying patches. The average time to patch these vulnerabilities is more than 60 days for the average enterprise. Once the zero-day fix is announced, cybercriminals know precisely what the vulnerability is and work overtime to write exploits specifically for this," Lovmand wrote. “If companies think they can prevent every attack, they are mistaken. It is simply a matter of time before a new ransomware variant hits that catches the endpoint security stack by surprise or when a threat actor finds that one lone system on your network that hasn't been patched. To protect against zero-day attacks, companies must be keeping their systems up to date with the latest security patches, use strong and complex passwords, implement MFA, maintain regular backups of critical data and they should consider implementing a rapid containment strategy. Ransomware Containment tools are becoming a critical part of this overall strategy.”)

(Added, 4:30 PM ET, April 12th, 2023. Concerning the exploitation of CVE-2-23-28252 to deliver Nokoyawa ransomware, we heard from Halcyon's CEO and co-founder, Jon Miller. He thinks that this exploit showed a notable advance in cunning, resourcefulness, and sophistication on the criminals' part:

"The marked increase in the exploitation of vulnerabilities by ransomware gangs is further evidence that criminal actors continue to employ increasingly complex techniques that we used to only see in nation-state operations.

"Ransomware attacks used to be clumsier and more random, basically, a numbers game where massive email spam campaigns or drive-by watering hole attacks were designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin. However, those were the halcyon days.

"It is highly unusual to see ransomware gangs using zero-day exploits targeting vulnerabilities in Windows, as these exploits are highly valuable to attackers and usually leveraged in nation-state operations as opposed to cybercriminal attacks.

"Research from earlier this year found that more than three-quarters of all ransomware-related vulnerability exploits observed throughout 2022 targeted older bugs disclosed between 2010 and 2019, for which patches were already available. Most of the vulnerabilities were low to medium severity levels, making it more likely that they were lower on an organization's priority list for patching or were simply never addressed.

"For many of these vulnerabilities, exploits have been available for quite some time. And in many cases, the exploits have been built into toolkits and largely automated. This is why we have seen an increase in more sophisticated attack sequences in ransomware attacks. However, the use of zero-days of this caliber is almost unprecedented.

"The Nokoyawa ransomware family bears a striking resemblance to the Hive ransomware that was first observed in June of 2021 and is responsible for some major disruptions that impacted COVID-19 responses, including an attack on a hospital that delayed care for patients.

"In July of 2022, the FBI penetrated the Hive network and provided decryption keys to victims worldwide, which has diminished the effectiveness of Hive operations, but Nokoyawa could be the group's successor. According to the FBI, Hive claimed more than 1,500 victims who were extorted for more than $100 million in ransom payments as of November 2022 and were one of the most active of all observed attack groups in 2022.Organizations with the right controls in place stand the best chance of disrupting these attacks at initial ingress when these known exploits are likely to be used or when the attackers begin to move laterally on the network and seek to escalate privileges.

"The ransomware payload is the very tail-end of a longer attack. Thus, a multi-layer defense strategy designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster.")

Apple Security Updates

CISA released an alert on Tuesday showing that Apple had released six security updates affecting iOS 15.7.5 and iPADOS 15.7.5 as well as macOS Monterey 12.6.5, macOS Big Sur 11.7.6, Safari 16.4.1, iOS 16.4.1 and iPADOS 16.4.1, and finally macOS Ventura 1..3.1.