Cyber Month in Review March 2023

Welcome back to this month’s security in review. The world of security is always moving and evolving, with vulnerabilities, breaches and new guidance being released every day.

The volume and complexity of some of these can sometimes be overwhelming and difficult to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber aware.

Critical Outlook Flaw

Microsoft released a patch this month for a critical zero-day vulnerability that has been exploited in attacks since at least mid-April 2022. The vulnerability is a Microsoft Outlook issue which allows an attacker to steal NTLM credentials by sending a malicious email which requires no user interaction. Instead, the exploit occurs automatically when the email lands in a user’s inbox and the outlook reminder is triggered – establishing a connection to the remote SMB server and sending the user’s NTLM negotiation message.

The attacker can then steal these leaked hashes and attempt to recover or replay them in NTLM relay attacks for further network access.

The vulnerability has a CVSS score of 9.8. It affects all versions of Microsoft Outlook on Windows, with APT (Advanced Persistent Threat) groups such as Russian-based ‘Fancy Bear’ (APT28) believed to be involved. You can see a demonstration of the exploit in MDSec’s video below:

 

What Should I do?

For organisations using Microsoft Outlook for Windows, a script has been released to identify indicators of exploitation which can be found here: CVE-2023-23397 script – Microsoft – CSS-Exchange. 

Once this script has been audited and cleaned up any detected risk, admins should ensure the latest Microsoft patch is applied, which can be found on the vulnerability advisory here: CVE-2023-23397 – Security Update Guide – Microsoft – Microsoft Outlook Elevation of Privilege Vulnerability. 

However, additional evidence from other well-known security researchers, such as Will Dormann and Dominic Chell, indicates that the above patch is still vulnerable to attackers on your LAN. As such, it is advised that admins still look at implementing one (or both) mitigating factors below in addition: “ 

• Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins.
  • Please note: This may impact applications that require NTLM, however, the settings will revert once the user is removed from the Protected Users Group. Please see Protected Users Security Group for more information. 

• Block TCP 445/SMB outbound from your network using a perimeter firewall, a local firewall, and via your VPN settings. Doing this will prevent the sending of NTLM authentication messages to remote file shares.  

OneNote being used by Emotet

Continuing with Microsoft, phishing attacks have increasingly seen Microsoft OneNote attachments used to bypass Microsoft security restrictions. This development has occurred due to Microsoft now blocking macros in downloaded Word and Excel documents automatically, forcing attackers to look elsewhere for their delivery methods.  

One such attack that uses the OneNote attachment in its recent campaigns is Emotet malware. Emotet is a malware botnet which was one of the most distributed malware in the past, with interludes of inactivity. Commonly spotted distribution methods of the OneNote attachments include emails impersonating guides, how-tos, invoices, job references etc. 

With this newfound interest in OneNote, Microsoft didn’t take long to introduce its intention for improved protection against malicious use of OneNote files by enhancing security when users open or download an embedded file in OneNote, pushing a notification warning when the file in question is deemed dangerous. Microsoft has forecast that this functionality should be available by the end of April 2023. 

What Should I do?

Whilst Microsoft’s protective measures can help against this kind of attack, it is not infallible, and attackers can still exploit human nature to ignore such notifications. As such, you can give your users and systems a much better chance by either: 

• Blocking OneNote document extensions (.one) at your mail gateway/mail server. 

• Deploying a GPO template OneNote policy to one of the following: 
  • • Disable embedded files: The most restrictive and more secure option prevents all embedded OneNote files from being launched. 
  • • Embedded files blocked extensions: A less restrictive option for those who may have legitimate use of embedded OneNote files. This allows you to stop a specific list of file extensions from opening in a OneNote document. 

You can find more information on the OneNote phishing format here: How to prevent Microsoft OneNote files from infecting Windows with malware (bleepingcomputer.com).  

---

SAP releases 5 critical vulnerabilities

Resource planning and enterprise software vendor SAP identified an impressive 19 vulnerabilities across its products this month, with five rated as ‘Hot News’ (Critical). Whilst the flaws specified cover a variety of their products, the critical vulnerabilities affect the ‘SAP Business Objects Business Intelligence platform (CMC)’ and ‘SAP NetWeaver’. 

What Should I do?

Being one of the largest ERP vendors in the world, SAP products can be seen as valuable entry points into business systems by attackers. You should therefore patch all the products as soon as possible to mitigate the high-risk nature. 

Admins who use SAP products should visit the Patch notes document for more detail and identify the other products affected by this month’s findings.

VEEAM bug allows hackers to breach backup infrastructure 

It’s not just the live environment we have to worry about this month either, as backup & DR provider VEEAM released a patch regarding a high-severity vulnerability impacting its backup & replication software. The vulnerability allows an unauthenticated attacker within the backup infrastructure network perimeter to obtain encrypted credentials in the VEEAM configuration database and access the backup infrastructure hosts.  

 

---

NCSC new guidance on Supply Chain Mapping

There have been some heavy-hitting vulnerabilities this month, further reinforced with some notable data breaches too (Acer and Ferrari, to name a couple). Thankfully, the NCSC released some more guidance to help businesses with their cyber security approach near the end of last month. 

The guidance helps businesses establish security in the supply chain and helps to “understand the process of recording, storing and using information from suppliers”. Supply chain attacks have been and continue to be a significant security risk for organisations of all sizes, with attacks like the Okta breach showing that attacker interest is not always in the business compromised, but sometimes their customers instead! 

What Should I do?

Make sure you have solutions and processes in place to track your supply chain and associated risks – setting up your process is the hardest part, but once implemented can provide you with the security confidence needed to respond to incidents appropriately. You can find the detailed NCSC guidance here: 

How to assess and gain confidence in your supply chain… – NCSC.GOV.UK

CISA advisory on Royal Ransomware 

CISA has released an advisory this month as part of their ongoing #stopransomware effort detailing a relatively recent ‘Royal’ ransomware variant seen since approx. September 2022. Using its custom file encryption program, the ‘Royal’ attackers establish network access, disabling antivirus and exfiltrating large amounts of data before deploying the ransomware for system encryption and delivering ransom. 

The variant has compromised several organisations so far. It’s reported that 67.7% of incidents gained initial access via phishing (using malicious PDF docs and advertising in particular), with the second largest vector being through RDP compromise – making up 13.3%.

What Should I do?

The below advisory helps detail the attack further, giving indicators of compromise (IOC) in the form of known files, hashes and IP addresses. The advisory also adds mitigation recommendations which follow closely to the NCSC ransomware guidance. 

#StopRansomware: Royal Ransomware | CISA

A guide to ransomware – NCSC.GOV.UK

Conclusion

Plenty of incidents, mitigations, and guidance have been released this month to keep admins busy. Microsoft’s Outlook flaw and OneNote phishing method stick out in particular, requiring quick remediation. Other critical suppliers like SAP and VEEAM will also likely impact businesses and reinforce the supply chain guidance the NCSC has recently been eluding to. 

As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month. Others such as Adobe’s ColdFusion zero-day, Fortinet’s unauthenticated RCE vuln, TPM 2.0’s flaw, and LastPass’s updated guidance for admins are examples of other updates you should be aware of and research. 

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you don’t get caught out in the future. Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyberaware! If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture. 

If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.