VULNERA Pulse

Android — Framework

CVE-2023-20963 / Added: April 13, 2023

HIGH CVSS 7.80

Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed.

Headlines

• April 14, 2023 - Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation
• April 14, 2023 - Severe Android and Novi Survey Vulnerabilities Under Active Exploitation

Back to top ↑

Novi Survey — Novi Survey

CVE-2023-29492 / Added: April 13, 2023

CVSS Not Assigned

Novi Survey contains an insecure deserialization vulnerability that allows remote attackers to execute code on the server in the context of the service account.

Headlines

• April 14, 2023 - Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation

Back to top ↑

Microsoft — Windows

CVE-2023-28252 / Added: April 11, 2023

HIGH CVSS 7.80

Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability that allows for privilege escalation.

Headlines

• April 13, 2023 - S3 Ep130: Open the garage bay doors, HAL [Audio + Text]
• April 13, 2023 - Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole
• April 13, 2023 - Microsoft patches vulnerability used in Nokoyawa ransomware attacks
• April 12, 2023 - Why you should patch the Windows QueueJumper vulnerability immediately
• April 12, 2023 - Microsoft fixes a zero-day – and two curious bugs that take the Secure out of Secure Boot
• April 12, 2023 - Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
• April 12, 2023 - Critical Windows flaw has been exploited in ransomware attacks, so patch now
• April 12, 2023 - Microsoft Fixes Zero-Day Bug This Patch Tuesday
• April 12, 2023 - Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit
• April 12, 2023 - Cybercrime group exploits Windows zero-day in ransomware attacks
• April 12, 2023 - Critical Patches Issued for Microsoft Products, April 11, 2023
• April 12, 2023 - Microsoft patches seven critical bugs
• April 12, 2023 - Microsoft (& Apple) Patch Tuesday, April 2023 Edition –
• April 11, 2023 - Ransomware gangs are already exploiting this Windows bug
• April 11, 2023 - Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs
• April 11, 2023 - Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
• April 11, 2023 - Windows zero-day vulnerability exploited in ransomware attacks
• April 11, 2023 - Microsoft patches zero-day exploited by attackers (CVE-2023-28252)
• April 11, 2023 - April showers Windows updates on sysadmins
• April 11, 2023 - Microsoft Patches Another Already-Exploited Windows Zero-Day
• April 11, 2023 - CVE-2023-28252 zero-day vulnerability in CLFS
• April 11, 2023 - Nokoyawa ransomware attacks with Windows zero-day
• April 11, 2023 - Microsoft April 2023 Patch Tuesday fixes 1 zero-day, 97 flaws

Back to top ↑

Apple — Multiple Products

CVE-2023-28205 / Added: April 10, 2023

HIGH CVSS 8.80

Apple iOS, iPadOS, macOS, and Safari WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content.

Headlines

• April 13, 2023 - Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole
• April 12, 2023 - Microsoft (& Apple) Patch Tuesday, April 2023 Edition –
• April 11, 2023 - Apple Patches Two Zero-Days Exploited in the Wild
• April 11, 2023 - Apple Rolls Out Zero-Day Patches to Older iOS, macOS Devices
• April 11, 2023 - Apple released emergency updates to fix recently disclosed zero-day bugs on older devices
• April 11, 2023 - Apple's recent zero-days patch is now available for older devices
• April 11, 2023 - Apple rushes fixes for exploited zero-days in iPhones and Macs (CVE-2023-28205, CVE-2023-28206)
• April 11, 2023 - US government orders its workers to update their iPhones immediately
• April 10, 2023 - Apple patches exploited iOS and macOS zero-day flaws
• April 10, 2023 - Apple zero-day spyware patches extended to cover older Macs, iPhones and iPads
• April 10, 2023 - Apple fixes recently disclosed zero-days on older iPhones and iPads
• April 10, 2023 - Pair of Apple Zero-Days Under Active Exploit; Patch & Update Accordingly
• April 10, 2023 - CISA adds zero-day bugs in iPhones, Macs, and iPads to its Known Exploited Vulnerabilities catalog
• April 10, 2023 - CISA orders govt agencies to update iPhones, Macs by May 1st
• April 10, 2023 - Apple just patched a pair of dangerous iOS and macOS security issues, so update now
• April 10, 2023 - CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required
• April 8, 2023 - iOS 16.4.1—Update Now Warning Issued To All iPhone Users
• April 8, 2023 - Apple Releases Updates to Address Zero-Day Flaws in iOS, iPadOS, macOS, and Safari
• April 8, 2023 - Apple issues emergency patches for spyware-style 0-day exploits – update now!
• April 7, 2023 - Apple addressed two actively exploited zero-day flaws
• April 7, 2023 - Apple Ships Urgent iOS Patch for Newly Exploited Zero-Days
• April 7, 2023 - Apple fixes two zero-days exploited to hack iPhones and Macs

Back to top ↑

Apple — iOS, iPadOS, and macOS

CVE-2023-28206 / Added: April 10, 2023

HIGH CVSS 8.60

Apple iOS, iPadOS, and macOS IOSurfaceAccelerator contain an out-of-bounds write vulnerability that allows an app to execute code with kernel privileges.

Headlines

• April 13, 2023 - Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole
• April 12, 2023 - Microsoft (& Apple) Patch Tuesday, April 2023 Edition –
• April 11, 2023 - Apple Patches Two Zero-Days Exploited in the Wild
• April 11, 2023 - Apple Rolls Out Zero-Day Patches to Older iOS, macOS Devices
• April 11, 2023 - Apple released emergency updates to fix recently disclosed zero-day bugs on older devices
• April 11, 2023 - Apple's recent zero-days patch is now available for older devices
• April 11, 2023 - Apple rushes fixes for exploited zero-days in iPhones and Macs (CVE-2023-28205, CVE-2023-28206)
• April 11, 2023 - US government orders its workers to update their iPhones immediately
• April 10, 2023 - Apple patches exploited iOS and macOS zero-day flaws
• April 10, 2023 - Apple zero-day spyware patches extended to cover older Macs, iPhones and iPads
• April 10, 2023 - Apple fixes recently disclosed zero-days on older iPhones and iPads
• April 10, 2023 - Pair of Apple Zero-Days Under Active Exploit; Patch & Update Accordingly
• April 10, 2023 - CISA adds zero-day bugs in iPhones, Macs, and iPads to its Known Exploited Vulnerabilities catalog
• April 10, 2023 - CISA orders govt agencies to update iPhones, Macs by May 1st
• April 10, 2023 - Apple just patched a pair of dangerous iOS and macOS security issues, so update now
• April 10, 2023 - CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required
• April 8, 2023 - iOS 16.4.1—Update Now Warning Issued To All iPhone Users
• April 8, 2023 - Apple issues emergency patches for spyware-style 0-day exploits – update now!
• April 7, 2023 - Apple addressed two actively exploited zero-day flaws
• April 7, 2023 - Apple Ships Urgent iOS Patch for Newly Exploited Zero-Days
• April 7, 2023 - Apple fixes two zero-days exploited to hack iPhones and Macs

Back to top ↑

CVE-2023-21554

CRITICAL CVSS 9.80

Remote Code Execution Public Exploits Available

Published: April 11, 2023

Microsoft Message Queuing Remote Code Execution Vulnerability

Quotes

• [T]hrough the course of the investigation the FBI was not able to confirm that this incident was initiated by a targeted cyber intrusion of Oldsmar
• We now know the attack vector sends packets to the service port 1801/tcp
• Aware of past instances of this type of vulnerability being exploited
• This vulnerability has a low complexity and uses a local attack vector, requiring only low privileges to exploit and no interaction from the user. It affects Windows Server versions from 2008 onward, as well as all versions of Windows 10
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• A specially crafted malicious MSMQ packet to a MSMQ server
• This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system
• Over the last two years, attackers appear to have found success targeting CLFS in order to elevate privileges as part of post-compromise activity
• [This bug] allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. This service is disabled by default but is commonly used by many contact center applications

Headlines

• April 14, 2023 - This Week In Security: QueueJumper, JS VM2 Escape, And CAN Hacking
• April 12, 2023 - Why you should patch the Windows QueueJumper vulnerability immediately
• April 12, 2023 - Microsoft fixes a zero-day – and two curious bugs that take the Secure out of Secure Boot
• April 12, 2023 - Windows admins warned to patch critical MSMQ QueueJumper bug
• April 12, 2023 - Microsoft Fixes Zero-Day Bug This Patch Tuesday
• April 12, 2023 - Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit
• April 12, 2023 - Microsoft patches seven critical bugs
• April 11, 2023 - Ransomware gangs are already exploiting this Windows bug
• April 11, 2023 - Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs
• April 11, 2023 - Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
• April 11, 2023 - Microsoft patches zero-day exploited by attackers (CVE-2023-28252)
• April 11, 2023 - April showers Windows updates on sysadmins
• April 11, 2023 - Microsoft Patches Another Already-Exploited Windows Zero-Day

CVE-2023-28250

CRITICAL CVSS 9.80

Remote Code Execution

Published: April 11, 2023

Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 1607, Windows 10 1809, Windows 10 1507, Windows 11 22h2, Windows Server 2012, Windows Server 2016, Windows 10 20h2, Windows Server 2008, Windows Server 2022, Windows 10 21h2, Windows 11 21h2, Windows 10 22h2, Windows Server 2019

Quotes

• We now know the attack vector sends packets to the service port 1801/tcp
• A specially crafted malicious MSMQ packet to a MSMQ server
• This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system
• Over the last two years, attackers appear to have found success targeting CLFS in order to elevate privileges as part of post-compromise activity

Headlines

• April 12, 2023 - Why you should patch the Windows QueueJumper vulnerability immediately
• April 12, 2023 - Microsoft patches seven critical bugs
• April 11, 2023 - Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs
• April 11, 2023 - Microsoft patches zero-day exploited by attackers (CVE-2023-28252)
• April 11, 2023 - April showers Windows updates on sysadmins

CVE-2023-28205

HIGH CVSS 8.80

CISA Known Exploited

Published: April 10, 2023

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Vendor Impacted: Apple

Products Impacted: Iphone Os, Safari, Macos, Multiple Products, Ipados

Quotes

• Introduce malware and monitoring software onto devices
• If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago
• Apple is aware of a report that [these issues] may have been actively exploited
• Ironically, kernel-level bugs that rely on a booby-trapped app are often not much use on their own against iPhone or iPad users, because Apple’s strict App Store ‘walled garden’ rules make it hard for attackers to trick you installing a rogue app in the first place
• Apple is aware of a report that this issue may have been actively exploited
• Developed by a commercial cyber-surveillance company and sold to governments hackers to carry out targeted spyware attacks
• It is interesting that Amnesty International's Security Lab was one of the organizations involved in finding reporting the issue
• Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited
• Is aware of a report that this issue may have been actively exploited

Headlines

• April 13, 2023 - Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole
• April 12, 2023 - Microsoft (& Apple) Patch Tuesday, April 2023 Edition –
• April 11, 2023 - Apple Patches Two Zero-Days Exploited in the Wild
• April 11, 2023 - Apple Rolls Out Zero-Day Patches to Older iOS, macOS Devices
• April 11, 2023 - Apple released emergency updates to fix recently disclosed zero-day bugs on older devices
• April 11, 2023 - Apple's recent zero-days patch is now available for older devices
• April 11, 2023 - Apple rushes fixes for exploited zero-days in iPhones and Macs (CVE-2023-28205, CVE-2023-28206)
• April 11, 2023 - US government orders its workers to update their iPhones immediately
• April 10, 2023 - Apple patches exploited iOS and macOS zero-day flaws
• April 10, 2023 - Apple zero-day spyware patches extended to cover older Macs, iPhones and iPads
• April 10, 2023 - Apple fixes recently disclosed zero-days on older iPhones and iPads
• April 10, 2023 - Pair of Apple Zero-Days Under Active Exploit; Patch & Update Accordingly
• April 10, 2023 - CISA adds zero-day bugs in iPhones, Macs, and iPads to its Known Exploited Vulnerabilities catalog
• April 10, 2023 - CISA orders govt agencies to update iPhones, Macs by May 1st
• April 10, 2023 - Apple just patched a pair of dangerous iOS and macOS security issues, so update now
• April 10, 2023 - CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required
• April 8, 2023 - iOS 16.4.1—Update Now Warning Issued To All iPhone Users

CVE-2023-28206

HIGH CVSS 8.60

CISA Known Exploited

Published: April 10, 2023

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Big Sur 11.7.6, macOS Ventura 13.3.1. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Vendor Impacted: Apple

Products Impacted: Ios, Ipados, And Macos, Iphone Os, Ipados, Macos

Quotes

• Introduce malware and monitoring software onto devices
• If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago
• Apple is aware of a report that [these issues] may have been actively exploited
• Ironically, kernel-level bugs that rely on a booby-trapped app are often not much use on their own against iPhone or iPad users, because Apple’s strict App Store ‘walled garden’ rules make it hard for attackers to trick you installing a rogue app in the first place
• Apple is aware of a report that this issue may have been actively exploited
• Developed by a commercial cyber-surveillance company and sold to governments hackers to carry out targeted spyware attacks
• It is interesting that Amnesty International's Security Lab was one of the organizations involved in finding reporting the issue
• Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited
• Is aware of a report that this issue may have been actively exploited

Headlines

• April 13, 2023 - Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole
• April 12, 2023 - Microsoft (& Apple) Patch Tuesday, April 2023 Edition –
• April 11, 2023 - Apple Patches Two Zero-Days Exploited in the Wild
• April 11, 2023 - Apple Rolls Out Zero-Day Patches to Older iOS, macOS Devices
• April 11, 2023 - Apple released emergency updates to fix recently disclosed zero-day bugs on older devices
• April 11, 2023 - Apple's recent zero-days patch is now available for older devices
• April 11, 2023 - Apple rushes fixes for exploited zero-days in iPhones and Macs (CVE-2023-28205, CVE-2023-28206)
• April 11, 2023 - US government orders its workers to update their iPhones immediately
• April 10, 2023 - Apple patches exploited iOS and macOS zero-day flaws
• April 10, 2023 - Apple zero-day spyware patches extended to cover older Macs, iPhones and iPads
• April 10, 2023 - Apple fixes recently disclosed zero-days on older iPhones and iPads
• April 10, 2023 - Pair of Apple Zero-Days Under Active Exploit; Patch & Update Accordingly
• April 10, 2023 - CISA adds zero-day bugs in iPhones, Macs, and iPads to its Known Exploited Vulnerabilities catalog
• April 10, 2023 - CISA orders govt agencies to update iPhones, Macs by May 1st
• April 10, 2023 - Apple just patched a pair of dangerous iOS and macOS security issues, so update now
• April 10, 2023 - CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required
• April 8, 2023 - iOS 16.4.1—Update Now Warning Issued To All iPhone Users

CVE-2023-28220

HIGH CVSS 8.10

Remote Code Execution

Published: April 11, 2023

Layer 2 Tunneling Protocol Remote Code Execution Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 1607, Windows 10 1809, Windows 10 1507, Windows 11 22h2, Windows Server 2012, Windows Server 2016, Windows 10 20h2, Windows Server 2008, Windows Server 2022, Windows 10 21h2, Windows 11 21h2, Windows 10 22h2, Windows Server 2019

Quotes

• A specially crafted malicious MSMQ packet to a MSMQ server
• If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges

Headlines

• April 12, 2023 - Microsoft patches seven critical bugs
• April 12, 2023 - Microsoft (& Apple) Patch Tuesday, April 2023 Edition –
• April 11, 2023 - Ransomware gangs are already exploiting this Windows bug
• April 11, 2023 - Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
• April 11, 2023 - April showers Windows updates on sysadmins

CVE-2023-28219

HIGH CVSS 8.10

Remote Code Execution

Published: April 11, 2023

Layer 2 Tunneling Protocol Remote Code Execution Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 1607, Windows 10 1809, Windows 10 1507, Windows 11 22h2, Windows Server 2012, Windows Server 2016, Windows 10 20h2, Windows Server 2008, Windows Server 2022, Windows 10 21h2, Windows 11 21h2, Windows 10 22h2, Windows Server 2019

Quotes

• A specially crafted malicious MSMQ packet to a MSMQ server
• If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges

Headlines

• April 12, 2023 - Microsoft patches seven critical bugs
• April 12, 2023 - Microsoft (& Apple) Patch Tuesday, April 2023 Edition –
• April 11, 2023 - Ransomware gangs are already exploiting this Windows bug
• April 11, 2023 - Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
• April 11, 2023 - April showers Windows updates on sysadmins

CVE-2023-28231

HIGH CVSS 8.00

Remote Code Execution

Published: April 11, 2023

DHCP Server Service Remote Code Execution Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows Server 2012, Windows Server 2016, Windows Server 2008, Windows Server 2022, Windows Server 2019

Quotes

• A specially crafted malicious MSMQ packet to a MSMQ server
• If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago
• This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system

Headlines

• April 12, 2023 - Microsoft fixes a zero-day – and two curious bugs that take the Secure out of Secure Boot
• April 12, 2023 - Microsoft patches seven critical bugs
• April 12, 2023 - Microsoft (& Apple) Patch Tuesday, April 2023 Edition –
• April 11, 2023 - Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs
• April 11, 2023 - Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
• April 11, 2023 - April showers Windows updates on sysadmins

CVE-2023-28252

HIGH CVSS 7.80

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware

Published: April 11, 2023

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 1607, Windows 10 1809, Windows 10 1507, Windows 11 22h2, Windows Server 2012, Windows Server 2016, Windows, Windows 10 20h2, Windows Server 2008, Windows Server 2022, Windows 10 21h2, Windows 11 21h2, Windows 10 22h2, Windows Server 2019

Quotes

• Wouldn’t it be nice if you could write the code, and then you could take it to any compliant compiler on any system, and the code would, within the limits of the system, behave the same
• Introduce malware and monitoring software onto devices
• Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development, and other industries
• We now know the attack vector sends packets to the service port 1801/tcp
• This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries
• Kaspersky researchers uncovered the vulnerability in February as a result of additional checks into a number of attempts to execute similar elevation of privilege exploits on Microsoft Windows servers belonging to different small and medium-sized businesses in the Middle Eastern and North American regions
• This vulnerability has a low complexity and uses a local attack vector, requiring only low privileges to exploit and no interaction from the user. It affects Windows Server versions from 2008 onward, as well as all versions of Windows 10
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• The discovered exploit uses the vulnerability to corrupt another specially crafted base log file object in a way that a fake element of the base log file gets treated as a real one
• A specially crafted malicious MSMQ packet to a MSMQ server
• If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago
• This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system
• Over the last two years, attackers appear to have found success targeting CLFS in order to elevate privileges as part of post-compromise activity
• [This bug] allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. This service is disabled by default but is commonly used by many contact center applications
• Windows Common Log File System Driver Elevation Of Privilege Vulnerability

Headlines

• April 13, 2023 - S3 Ep130: Open the garage bay doors, HAL [Audio + Text]
• April 13, 2023 - Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole
• April 13, 2023 - Microsoft patches vulnerability used in Nokoyawa ransomware attacks
• April 12, 2023 - Why you should patch the Windows QueueJumper vulnerability immediately
• April 12, 2023 - Microsoft fixes a zero-day – and two curious bugs that take the Secure out of Secure Boot
• April 12, 2023 - Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
• April 12, 2023 - Critical Windows flaw has been exploited in ransomware attacks, so patch now
• April 12, 2023 - Microsoft Fixes Zero-Day Bug This Patch Tuesday
• April 12, 2023 - Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit
• April 12, 2023 - Cybercrime group exploits Windows zero-day in ransomware attacks
• April 12, 2023 - Critical Patches Issued for Microsoft Products, April 11, 2023
• April 12, 2023 - Microsoft patches seven critical bugs
• April 12, 2023 - Microsoft (& Apple) Patch Tuesday, April 2023 Edition –
• April 11, 2023 - Ransomware gangs are already exploiting this Windows bug
• April 11, 2023 - Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs
• April 11, 2023 - Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
• April 11, 2023 - Windows zero-day vulnerability exploited in ransomware attacks
• April 11, 2023 - Microsoft patches zero-day exploited by attackers (CVE-2023-28252)
• April 11, 2023 - April showers Windows updates on sysadmins
• April 11, 2023 - Microsoft Patches Another Already-Exploited Windows Zero-Day
• April 11, 2023 - CVE-2023-28252 zero-day vulnerability in CLFS
• April 11, 2023 - Nokoyawa ransomware attacks with Windows zero-day
• April 11, 2023 - Microsoft April 2023 Patch Tuesday fixes 1 zero-day, 97 flaws

CVE-2022-37969

HIGH CVSS 7.80

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Sept. 13, 2022

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 8.1, Windows 7, Windows 10, Windows Server 2012, Windows Server 2016, Windows, Windows Server 2008, Windows Server 2022, Windows 11, Windows Server 2019

Quotes

• Introduce malware and monitoring software onto devices
• Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development, and other industries
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago
• This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system
• Kaspersky researchers uncovered the vulnerability in February as a result of additional checks into a number of attempts to execute similar elevation of privilege exploits on Microsoft Windows servers belonging to different small and medium-sized businesses in the Middle Eastern and North American regions
• Windows Common Log File System Driver Elevation Of Privilege Vulnerability

Headlines

• April 13, 2023 - Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole
• April 13, 2023 - Microsoft patches vulnerability used in Nokoyawa ransomware attacks
• April 12, 2023 - Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit
• April 12, 2023 - Microsoft (& Apple) Patch Tuesday, April 2023 Edition –
• April 11, 2023 - Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs
• April 11, 2023 - Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities
• April 11, 2023 - Windows zero-day vulnerability exploited in ransomware attacks
• April 11, 2023 - Nokoyawa ransomware attacks with Windows zero-day

CVE-2013-3900

HIGH CVSS 7.60

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Dec. 11, 2013

The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate PE file digests during Authenticode signature verification, which allows remote attackers to execute arbitrary code via a crafted PE file, aka "WinVerifyTrust Signature Validation Vulnerability."

Vendor Impacted: Microsoft

Products Impacted: Windows 8.1, Windows Server 2003, Windows Server 2019, Windows 7, Windows 10, Windows Server 2012, Windows Server 2016, Windows Vista, Winverifytrust Function, Windows Server 2008, Windows Server 2022, Windows Xp, Windows 11, Windows Rt 8.1

Quotes

• On Windows, the attacker used DLL side-loading to achieve persistence for TAXHAUL malware. DLL side-loading triggered infected systems to execute the attacker’s malware within the context of legitimate Microsoft Windows binaries, reducing the likelihood of malware detection. The persistence mechanism also ensures the attacker malware is loaded at system start-up, enabling the attacker to retain remote access to the infected system over the internet
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system
• Over the last two years, attackers appear to have found success targeting CLFS in order to elevate privileges as part of post-compromise activity
• Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus

Headlines

• April 12, 2023 - 3CX compromise: More details about the breach, new PWA app released
• April 12, 2023 - Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit
• April 11, 2023 - Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs
• April 11, 2023 - Microsoft patches zero-day exploited by attackers (CVE-2023-28252)
• April 11, 2023 - 3CX confirms North Korean hackers behind supply chain attack