Advisories

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software. The most serious of them is CVE-2023-36884, a remote code execution (RCE) bug in Office and Windows HTML, for which Microsoft did not have a patch for in the previous month's update. The company identified a threat group it is tracking, Storm-0978, as exploiting the flaw in a phishing campaign targeting government and defense organizations in North America and Europe.

Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations. Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022. The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system. Microsoft's July security update contains fixes for a whopping 130 unique vulnerabilities, five of which attackers are already actively exploiting in the wild.

Storm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations.

The actor’s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.

3.0 Affected Products

4.0 Recommendations
Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-0978’s operations.

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Use Microsoft Defender for Office 365?for enhanced phishing protection and coverage against new threats and polymorphic variants.?Defender for Office 365 customers should ensure that Safe Attachments and Safe Links protection?is enabled for users with ?Zero-hour Auto Purge (ZAP)?to remove emails when a URL gets weaponized post-delivery.
• Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
  • Block process creations originating from PsExec and WMI commands – Some organizations might experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI, including Impacket’s WMIexec.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Use advanced protection against ransomware
  • Block all Office applications from creating child processes

CVE-2023-36884 specific recommendations

• Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
• In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office.
• In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
• Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. 
  • No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached.
  • Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.

MyCERT encourages users and administrators to review Microsoft’s July 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the following URLs:

• https://msrc.microsoft.com/update-guide/releaseNote/2023-Jul
• https://msrc.microsoft.com/update-guide/deployments

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://msrc.microsoft.com/update-guide/releaseNote/2023-Jul
• https://msrc.microsoft.com/update-guide/deployments
• Cybersecurity Alerts & Advisories | CISA
• Microsoft Discloses 5 Zero-Days in Voluminous July Security Update (darkreading.com)

1.0 Introduction

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA), Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to provide guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments. 

2.0 Impact
In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.

3.0 Technical Details
In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.

Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse. Microsoft determined that this activity was part of a campaign targeting multiple organizations (all of which have been notified by Microsoft). [1]

The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.

CISA and FBI are not aware of other audit logs or events that would have detected this activity. Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.

4.0 Recommendations
MyCERT strongly encourage critical infrastructure organizations to ensure audit logging is enabled.

In addition to enabling audit logging, MyCERT strongly encourage organizations to:

• Enable Purview Audit (Premium) logging. This logging requires licensing at the G5/E5 level. See Microsoft’s guidance on Assigning Microsoft 365 Licenses to Users for additional information.
• Ensure logs are searchable by operators. The relevant logs need to be accessible to operational teams in a platform (e.g., security operations center [SOC] tooling) that enables hunting for this activity and distinguishing it from expected behavior within the environment.
• Enable Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by default, but organizations are encouraged to validate these settings.
• Understand your organization’s cloud baseline. Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.

All mitigation actions for this activity are the responsibility of Microsoft due to the cloud-based infrastructure affected; however, MyCERT recommend that critical infrastructure organizations implement the following to harden their cloud environments. Although, these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments.

• Separate administrator accounts from user accounts according to the National Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation of Duties. Only allow designated administrator accounts to be used for administration purposes. If an individual user requires administrative rights over their workstation, use a separate account without administrative access to other hosts.
• Collect and store access and security logs for secure cloud access (SCA) solutions, endpoint solutions, cloud applications/platforms and security services, such as firewalls, data loss prevention systems, and intrusion detection systems.
• Use a telemetry hosting solution (e.g., SIEM solution) that aggregates logs and telemetry data to facilitate internal organization monitoring, auditing, alerting, and threat detection activities.
• Review contractual relationships with all Cloud Service Providers (CSPs) and ensure contracts include:
  • Security controls the customer deems appropriate.
  • Appropriate monitoring and logging of provider-managed customer systems.
  • Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
  • Notification of confirmed or suspected activity.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

Kindly refer to the following URL for more information: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
 

• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
• https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/
• https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/
• https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

1.0 Introduction

Recrntly, Fortinet has released a security update to address a critical vulnerability (CVE-2023-33308) affecting FortiOS and FortiProxy.

2.0 Impact
A remote attacker can exploit this vulnerability to take control of an affected system.

3.0 Affected Products
FortiOS and FortiProxy

4.0 Recommendations
MyCERT encourages users and administrators to review the Fortinet security release FG-IR-23-183 and apply the necessary updates.

Kindly refer to https://www.fortiguard.com/psirt/FG-IR-23-183

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.fortiguard.com/psirt/FG-IR-23-183

1.0 Introduction

Recently, MyCERT has been aware of an malware campaign targeting Android users using messages that are being circulated on WhatsApp and other major messaging platforms that promise to provide a new color theme for WhatsApp. 

Disguised as an official update for the chat app, the “WhatsApp Pink” theme is in reality a variant of a wormable malware that spreads through WhatsApp and lures the prospective victims into downloading an app from a website masquerading as Google Play.

WhatsApp Pink is an updated version of the WhatsApp auto-reply worm that surfaced in January 2021. It seems to have been first spotted in India, where it was shared in various massive chat groups on popular instant messaging services. The Trojan’s updated version doesn’t auto-reply just to WhatsApp messages, but also to messages received on other instant messaging apps, which could be the reason for its apparent wider spread.

Figure 1: Screenshot from WhatsApp message stating “New Pink Look Whatsapp Officially Launched with Extra Features Must try this. hxxp[://lookpink.xyz/?whatsapp”. Upon clicking the link, WhatsappPink.apk is downloaded.

2.0 Impact
The malware Trojan identified by ESET products as Android/Spams.V automatically replies to messages received in apps such as WhatsApp, WhatsApp Business, Signal, Skype, Viber, Telegram, and one of the various unofficial, third-party versions of WhatsApp, with a link to a website from which it, the Trojan, can be downloaded.

In general, below are some possible impacts of installing unofficial applications in your devices:

• Misuse of contact numbers and pictures saved in mobile
• Financial loss
• Misuse of your credentials
• Lose control over your mobile
• Spam messages

3.0 Affected System and Devices
Android mobile devices.

4.0 Technical Details
Installing the downloaded APK didn’t show any visible suspicious behaviour, but analysing the app statically showed that the app looks for notifications from a predefined list of applications, including Viber, Telegram, WhatsApp, Skype etc., and auto responds to the sender with the reply “New Pink Look Whatsapp Officially Launched with Extra Features Must try this. hxxp[://lookpink.xyz/?whatsapp” for them to download the app, spreading like a worm. Unfortunately the link in the message was down at the time of writing this alert.

The predefined list of chat apps is as shown in Figure 2. 

Figure 2: Apps list hardcoded in the fake app

Chat apps in the list are: 

• com.viber.voip
• com.skype.raider
• com.skype.insiders
• org.thoughtcrime.securesms
• com.whatsapp.w4b
• com.whatsapp
• org.telegram.messenger
• com.gbwhatsapp
• com.whatsapp.plus
• com.og.whatsapp
• com.yowhatsapp
• com.retro.whatsweb
• com.FmWhatsApp

Also the app confirms if it has the permission to listen to the notifications by either verifying if it is listed under “enabled_notification_listeners” or by requesting for the permission as shown in Figure 3 and Figure 4. 

Figure 3: Verification of notification listener permission

Figure 4: Request for notification listener permission

Once the service is listed under notification listeners, the service starts and keeps monitoring for any posted notification. If any notification is posted, this app verifies if the notification is meant for any of the apps in the predefined list. If yes, it collects the phone number as shown in Figure 5. 

Figure 5: Collecting the phone number from notifications

After which it auto responds to the phone number using sendReply as shown in Figure 6. 

Figure 6: Sending auto reply to the notifications

Random_Message is the string variable that carries the message and the link to download malicious Whatsapp app.

Also, we noted that the malware author has not suppressed notifications or messages from those chat apps. Instead the spam message auto sent via notifications is visible to the user in the chat message screen of the sender. This suggests that the app could still be under the development stage or just a start of an attack as the app just auto replies to the notifications and no other malicious activities have been identified at the time of writing this blog. 

This attack may not sound new, however, users are falling prey to such attacks because of curiosity and eagerness to be trendy at the earliest. 

5.0 Indicators Of Compromise (IOCs)

URLs

hxxp[://lookpink.xyz/?whatsapp

hxxp[://whatsapp.profileviewz.com/?whatsapp

hxxp[://whatsapp.wwwy.xyz/?pinklook

6.0 Recommendations
If you downloaded “WhatsApp Pink” you can either remove it through Settings and the App Manager submenu or install a full-featured Android security solution that will scan your device and remove it automatically.

By way of prevention, there are several steps you can take to mitigate the chances of falling victim to similar schemes in the future:

• Never click on links or attachments that you received via an unsolicited message or from someone you don’t know
• Only download apps from official app stores, since they have rigorous approval processes in place
• Always use a reputable mobile security solution
• Be wary of what kinds of permissions you grant to applications

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

7.0    References
 

• https://twitter.com/MCMC_RASMI/status/1673496461462638592
• https://www.welivesecurity.com/2021/04/20/whatsapp-pink-watch-out-fake-update/
• https://www.welivesecurity.com/2021/01/26/wormable-android-malware-spreads-whatsapp-messages/
• https://www.androidheadlines.com/2023/06/whatsapp-malware-scam-pink-whatsapp-security-issues.html
• https://indianexpress.com/article/technology/tech-news-technology/what-is-whatsapp-pink-how-to-stay-safe-uninstall-whatsapp-pink-8686717/
• https://soyacincau.com/2023/06/27/what-is-pink-whatsapp-and-why-you-shouldnt-download-it-on-your-phone/
• https://labs.k7computing.com/index.php/never-ink-the-new-whatsapppink/
• https://twitter.com/androidmalware2/status/1672954200278401027?s=12&t=kRN4EjFob62Y9sG7arehOw

1.0 Introduction

Recently, Mozilla has released a security update to address a vulnerability in Firefox and Firefox ESR.

2.0 Impact
An attacker could exploit this vulnerability to take control of an affected system.

3.0 Affected Products
Mozilla Firefox and Firefox ESR.

4.0 Recommendations
MyCERT encourages users and administrators to review Mozilla Security Advisory MFSA 2023-26 and apply the necessary update.

Kindly refer to https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/

1.0 Introduction

Recently, Adobe has released security updates to address vulnerabilities affecting ColdFusion and InDesign.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

• Adobe ColdFusion
• Adobe InDesign

4.0 Recommendations
MyCERT encourages users and administrators to review the Adobe security releases APSB23-38 and APSB23-40 and apply the necessary updates.

Kindly refer to the following URLs:

• https://helpx.adobe.com/security/products/indesign/apsb23-38.html
• https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://helpx.adobe.com/security/products/indesign/apsb23-38.html
• https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html
• Cybersecurity Alerts & Advisories | CISA

1.0 Introduction

Recently, CISA released four Industrial Control Systems (ICS) advisories on July 11, 2023.

2.0 Impact
These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

3.0 Affected Products

• ICSA-23-192-01 Rockwell Automation Enhanced HIM
• ICSA-23-192-02 Sensormatic Electronics iSTAR
• ICSA-23-192-03 Panasonic Control FPWin Pro7
• ICSA-23-180-04 Mitsubishi Electric MELSEC-F Series (Update A)

4.0 Recommendations
MyCERT encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Kindly refer to the following URLs:

• https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-01
• https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-02
• https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-03
• https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-04

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-01
• https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-02
• https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-03
• https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-04