VULNERA Pulse

Microsoft — Exchange Server

CVE-2024-21410 / Added: Feb. 15, 2024

CRITICAL CVSS 9.80 EPSS Score 0.71 EPSS Percentile 79.90

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Headlines

• Feb. 16, 2024 - Microsoft fixes two zero-days with Patch Tuesday release
• Feb. 16, 2024 - CISA adds Microsoft Exchange and Cisco ASA and FTD bugs to its Known Exploited Vulnerabilities catalog
• Feb. 16, 2024 - CISA Warns of Active Exploitation Cisco and Microsoft Exchange Vulnerability
• Feb. 15, 2024 - Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug
• Feb. 15, 2024 - Microsoft Warns of Exploited Exchange Server Zero-Day
• Feb. 15, 2024 - Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation
• Feb. 15, 2024 - CVE-2024-21410 (CVSS 9.8): Microsoft Exchange Server Flaw is Actively Exploited
• Feb. 14, 2024 - Microsoft: New critical Exchange bug exploited as zero-day
• Feb. 14, 2024 - Microsoft Exchange update enables Extended Protection by default
• Feb. 14, 2024 - Microsoft Fixes Two Zero-Days in February Patch Tuesday
• Feb. 14, 2024 - February’s Patch Tuesday treats customers to 72 patches
• Feb. 14, 2024 - Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days
• Feb. 13, 2024 - Microsoft patches 80 vulnerabilities
• Feb. 13, 2024 - February 2024 Patch Tuesday: Updates and Analysis
• Feb. 13, 2024 - Fat Patch Tuesday, February 2024 Edition –
• Feb. 13, 2024 - Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs
• Feb. 13, 2024 - Microsoft patches two zero-days exploited by attackers (CVE-2024-21412, CVE-2024-21351)

Back to top ↑

Cisco — Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)

CVE-2020-3259 / Added: Feb. 15, 2024

HIGH CVSS 7.50 EPSS Score 1.93 EPSS Percentile 88.24

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.

Headlines

• Feb. 16, 2024 - CISA adds Microsoft Exchange and Cisco ASA and FTD bugs to its Known Exploited Vulnerabilities catalog
• Feb. 16, 2024 - CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability
• Feb. 16, 2024 - CISA Warns of Active Exploitation Cisco and Microsoft Exchange Vulnerability
• Feb. 8, 2024 - Akira, LockBit actively searching for vulnerable Cisco ASA devices
• Feb. 2, 2024 - The Week in Ransomware - February 2nd 2024 - No honor among thieves
• Jan. 31, 2024 - Akira ransomware attacks linked to Cisco vuln fixed in 2020

Back to top ↑

Microsoft — Windows

CVE-2024-21412 / Added: Feb. 13, 2024

HIGH CVSS 8.10 EPSS Score 1.01 EPSS Percentile 83.23

Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.

Headlines

• Feb. 15, 2024 - Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug
• Feb. 15, 2024 - CISA adds Microsoft Windows bugs to its Known Exploited Vulnerabilities catalog
• Feb. 15, 2024 - Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation
• Feb. 14, 2024 - Water Hydra’s Zero-Day Attack Chain Targets Financial Traders
• Feb. 14, 2024 - Microsoft Fixes Two Zero-Days in February Patch Tuesday
• Feb. 14, 2024 - Microsoft Patch Tuesday for February 2024 fixed 2 actively exploited 0-days
• Feb. 14, 2024 - DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability
• Feb. 14, 2024 - Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days
• Feb. 14, 2024 - Urgent: Water Hydra Exploits Zero-Day to Target Traders
• Feb. 14, 2024 - CVE-2024-21351 & CVE-2024-21412: Two 0-days flaws in Microsoft February 2024 Patch Tuesday
• Feb. 14, 2024 - Microsoft squashes security bugs under active exploitation
• Feb. 14, 2024 - Microsoft squashes security bugs under active exploitation
• Feb. 13, 2024 - Microsoft patches 80 vulnerabilities
• Feb. 13, 2024 - February 2024 Patch Tuesday: Updates and Analysis
• Feb. 13, 2024 - Fat Patch Tuesday, February 2024 Edition –
• Feb. 13, 2024 - Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs
• Feb. 13, 2024 - Hackers used new Windows Defender zero-day to drop DarkMe malware
• Feb. 13, 2024 - Microsoft patches two zero-days exploited by attackers (CVE-2024-21412, CVE-2024-21351)
• Feb. 13, 2024 - Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws
• Feb. 13, 2024 - Critical Patches Issued for Microsoft Products, February 13, 2024

Back to top ↑

Microsoft — Windows

CVE-2024-21351 / Added: Feb. 13, 2024

HIGH CVSS 7.60 EPSS Score 0.57 EPSS Percentile 77.15

Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.

Headlines

• Feb. 16, 2024 - Microsoft fixes two zero-days with Patch Tuesday release
• Feb. 15, 2024 - Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug
• Feb. 15, 2024 - CISA adds Microsoft Windows bugs to its Known Exploited Vulnerabilities catalog
• Feb. 15, 2024 - Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation
• Feb. 14, 2024 - Microsoft Fixes Two Zero-Days in February Patch Tuesday
• Feb. 14, 2024 - Microsoft Patch Tuesday for February 2024 fixed 2 actively exploited 0-days
• Feb. 14, 2024 - Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days
• Feb. 14, 2024 - CVE-2024-21351 & CVE-2024-21412: Two 0-days flaws in Microsoft February 2024 Patch Tuesday
• Feb. 14, 2024 - Microsoft squashes security bugs under active exploitation
• Feb. 14, 2024 - Microsoft squashes security bugs under active exploitation
• Feb. 13, 2024 - Microsoft patches 80 vulnerabilities
• Feb. 13, 2024 - February 2024 Patch Tuesday: Updates and Analysis
• Feb. 13, 2024 - Fat Patch Tuesday, February 2024 Edition –
• Feb. 13, 2024 - Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs
• Feb. 13, 2024 - Microsoft patches two zero-days exploited by attackers (CVE-2024-21412, CVE-2024-21351)
• Feb. 13, 2024 - Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws
• Feb. 13, 2024 - First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities
• Feb. 13, 2024 - Critical Patches Issued for Microsoft Products, February 13, 2024

Back to top ↑

Roundcube — Webmail

CVE-2023-43770 / Added: Feb. 12, 2024

MEDIUM CVSS 6.10 EPSS Score 11.47 EPSS Percentile 95.06

Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages.

Headlines

• Feb. 13, 2024 - CISA Warns of Roundcube Webmail Vulnerability Exploitation
• Feb. 13, 2024 - Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770)
• Feb. 13, 2024 - Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now
• Feb. 12, 2024 - CISA: Roundcube email server bug now exploited in attacks
• Feb. 12, 2024 - CISA adds Roundcube Webmail Persistent XSS bug to its Known Exploited Vulnerabilities catalog
• Feb. 12, 2024 - CISA warns of actively exploited' flaw in Roundcube Webmail (CVE-2023-43770)

Back to top ↑

CVE-2024-21410

CRITICAL CVSS 9.80 EPSS Score 0.71 EPSS Percentile 79.90

CISA Known Exploited Actively Exploited

Published: Feb. 13, 2024

Microsoft Exchange Server Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Product Impacted: Exchange Server

Quotes

• Could lead to the attacker gaining the ability to interact with other tenant’s applications and content
• We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers
• The impact of this vulnerability is profound, compromising security and undermining trust in protective mechanisms like SmartScreen
• The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf
• This will happen when running the GUI version of Setup and when running the command line version of Setup without using either the /DoNotEnableEP or /DoNotEnableEPFEEWS setup switch to opt out
• The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both
• In the exploitation scenario, an attacker must send a specifically crafted file to a target user and persuade them to open it, since the attacker cannot compel the user to engage with the malicious content directly
• ASP.NET SignalR is a library for ASP.NET developers that simplifies the process of adding real-time web functionality to applications. Real-time web functionality is the ability to have server code push content to connected clients instantly as it becomes available, rather than having the server wait for a client to request new data
• An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf. For more information about Exchange Server’s support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server
• Water Hydra deployed a spearphishing campaign on forex trading forums and stock trading Telegram channels to lure potential traders into infecting themselves with DarkMe malware using various social engineering techniques, such as posting messages asking for or providing trading advice, sharing fake stock and financial tools revolving around graph technical analysis, graph indicator tools, all of which were accompanied by a URL pointing to a trojan horse stock chart served from a compromised Russian trading and cryptocurrency information site (fxbulls[.]ru)

Headlines

• Feb. 16, 2024 - Microsoft fixes two zero-days with Patch Tuesday release
• Feb. 16, 2024 - CISA adds Microsoft Exchange and Cisco ASA and FTD bugs to its Known Exploited Vulnerabilities catalog
• Feb. 16, 2024 - CISA Warns of Active Exploitation Cisco and Microsoft Exchange Vulnerability
• Feb. 15, 2024 - Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug
• Feb. 15, 2024 - Microsoft Warns of Exploited Exchange Server Zero-Day
• Feb. 15, 2024 - Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation
• Feb. 15, 2024 - CVE-2024-21410 (CVSS 9.8): Microsoft Exchange Server Flaw is Actively Exploited
• Feb. 14, 2024 - Microsoft: New critical Exchange bug exploited as zero-day
• Feb. 14, 2024 - Microsoft Exchange update enables Extended Protection by default
• Feb. 14, 2024 - Microsoft Fixes Two Zero-Days in February Patch Tuesday
• Feb. 14, 2024 - February’s Patch Tuesday treats customers to 72 patches
• Feb. 14, 2024 - Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days
• Feb. 13, 2024 - Microsoft patches 80 vulnerabilities
• Feb. 13, 2024 - February 2024 Patch Tuesday: Updates and Analysis
• Feb. 13, 2024 - Fat Patch Tuesday, February 2024 Edition –
• Feb. 13, 2024 - Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs
• Feb. 13, 2024 - Microsoft patches two zero-days exploited by attackers (CVE-2024-21412, CVE-2024-21351)

CVE-2024-21413

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 37.34

Actively Exploited Remote Code Execution Public Exploits Available

Published: Feb. 13, 2024

Microsoft Outlook Remote Code Execution Vulnerability

Quotes

• Could lead to the attacker gaining the ability to interact with other tenant’s applications and content
• We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers
• The impact of this vulnerability is profound, compromising security and undermining trust in protective mechanisms like SmartScreen
• An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality
• Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode
• In the exploitation scenario, an attacker must send a specifically crafted file to a target user and persuade them to open it, since the attacker cannot compel the user to engage with the malicious content directly
• An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf
• ASP.NET SignalR is a library for ASP.NET developers that simplifies the process of adding real-time web functionality to applications. Real-time web functionality is the ability to have server code push content to connected clients instantly as it becomes available, rather than having the server wait for a client to request new data
• Water Hydra deployed a spearphishing campaign on forex trading forums and stock trading Telegram channels to lure potential traders into infecting themselves with DarkMe malware using various social engineering techniques, such as posting messages asking for or providing trading advice, sharing fake stock and financial tools revolving around graph technical analysis, graph indicator tools, all of which were accompanied by a URL pointing to a trojan horse stock chart served from a compromised Russian trading and cryptocurrency information site (fxbulls[.]ru)

Headlines

• Feb. 16, 2024 - Microsoft fixes two zero-days with Patch Tuesday release
• Feb. 16, 2024 - PoC Exploit Released for Microsoft Outlook RCE Flaw - CVE-2024-21413
• Feb. 15, 2024 - Microsoft Warns of Exploited Exchange Server Zero-Day
• Feb. 15, 2024 - Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation
• Feb. 14, 2024 - Microsoft: New critical Exchange bug exploited as zero-day
• Feb. 14, 2024 - Microsoft Warns of Outlook RCE Flaw - #MonikerLink Bug (CVE-2024-21413)
• Feb. 14, 2024 - Microsoft Warns of 'In the Wild' Outlook Attack - #MonikerLink Bug (CVE-2024-21413)
• Feb. 14, 2024 - New critical Microsoft Outlook RCE bug is trivial to exploit
• Feb. 14, 2024 - Microsoft Fixes Two Zero-Days in February Patch Tuesday
• Feb. 13, 2024 - Microsoft patches 80 vulnerabilities
• Feb. 13, 2024 - February 2024 Patch Tuesday: Updates and Analysis
• Feb. 13, 2024 - Fat Patch Tuesday, February 2024 Edition –
• Feb. 13, 2024 - Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs
• Feb. 13, 2024 - Microsoft patches two zero-days exploited by attackers (CVE-2024-21412, CVE-2024-21351)

CVE-2024-21887

CRITICAL CVSS 9.10 EPSS Score 97.30 EPSS Percentile 99.85

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure And Policy Secure, Policy Secure, Connect Secure

Quotes

• Previously unknown and interesting backdoor
• I don't see how Ivanti survives as an enterprise firewall brand
• We initially flagged the code in question during our internal review
• Pulse Secure runs an 11-year-old version of Linux which hasn't been supported since November 2020
• So far, we have only been seeing payloads similar to the original proof-of-concept (PoC) [exploit] published by watchTowr

Headlines

• Feb. 16, 2024 - New Ivanti Vulnerability Observed as Widespread Security Concerns Grow
• Feb. 15, 2024 - Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
• Feb. 15, 2024 - Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries
• Feb. 13, 2024 - Ivanti Gets Poor Marks for Cyber Incident Response
• Feb. 13, 2024 - Attackers injected novel DSLog backdoor into 670 vulnerable Ivanti devices (CVE-2024-21893)
• Feb. 12, 2024 - Fortinet, Ivanti Keep Customers Busy With Yet More Critical Bugs

CVE-2023-36025

HIGH CVSS 8.80 EPSS Score 0.79 EPSS Percentile 80.94

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Nov. 14, 2023

Windows SmartScreen Security Feature Bypass Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows, Windows Server 2022, Windows Server 2008, Windows 11 23h2, Windows Server 2019, Windows Server 2012, Windows 11 22h2, Windows 10 1809, Windows 11 21h2, Windows 10 22h2, Windows 10 1607, Windows 10 21h2, Windows Server 2016, Windows 10 1507

Quotes

• We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers
• The impact of this vulnerability is profound, compromising security and undermining trust in protective mechanisms like SmartScreen
• An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks
• The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both
• Water Hydra deployed a spearphishing campaign on forex trading forums and stock trading Telegram channels to lure potential traders into infecting themselves with DarkMe malware using various social engineering techniques, such as posting messages asking for or providing trading advice, sharing fake stock and financial tools revolving around graph technical analysis, graph indicator tools, all of which were accompanied by a URL pointing to a trojan horse stock chart served from a compromised Russian trading and cryptocurrency information site (fxbulls[.]ru)

Headlines

• Feb. 15, 2024 - CISA adds Microsoft Windows bugs to its Known Exploited Vulnerabilities catalog
• Feb. 14, 2024 - Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days
• Feb. 13, 2024 - Fat Patch Tuesday, February 2024 Edition –
• Feb. 13, 2024 - Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs
• Feb. 13, 2024 - Hackers used new Windows Defender zero-day to drop DarkMe malware
• Feb. 13, 2024 - Microsoft patches two zero-days exploited by attackers (CVE-2024-21412, CVE-2024-21351)

CVE-2024-21893

HIGH CVSS 8.20 EPSS Score 96.25 EPSS Percentile 99.47

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 31, 2024

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Vendor Impacted: Ivanti

Products Impacted: Neurons For Zero-Trust Access, Connect Secure, Policy Secure, And Neurons, Policy Secure, Connect Secure

Quotes

• Previously unknown and interesting backdoor
• I don't see how Ivanti survives as an enterprise firewall brand
• The backdoor is inserted into an existing Perl file called 'DSLog.pm
• Pulse Secure runs an 11-year-old version of Linux which hasn't been supported since November 2020
• So far, we have only been seeing payloads similar to the original proof-of-concept (PoC) [exploit] published by watchTowr
• This appliance had the initial XML mitigation (API endpoints blocked) in place but not yet the second mitigation (or patch)

Headlines

• Feb. 16, 2024 - New Ivanti Vulnerability Observed as Widespread Security Concerns Grow
• Feb. 15, 2024 - Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
• Feb. 15, 2024 - Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries
• Feb. 13, 2024 - Ivanti VPN Flaw Exploited to Inject Novel Backdoor; Hundreds Pwned
• Feb. 13, 2024 - Ivanti Gets Poor Marks for Cyber Incident Response
• Feb. 13, 2024 - Attackers injected novel DSLog backdoor into 670 vulnerable Ivanti devices (CVE-2024-21893)
• Feb. 13, 2024 - Ivanti Vulnerability Exploited to Install 'DSLog' Backdoor on 670+ IT Infrastructures
• Feb. 12, 2024 - Hackers exploit Ivanti SSRF flaw to deploy new DSLog backdoor
• Feb. 11, 2024 - Week in review: 10 must-read cybersecurity books, AnyDesk hack, Patch Tuesday forecast

CVE-2023-46805

HIGH CVSS 8.20 EPSS Score 96.27 EPSS Percentile 99.48

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure And Policy Secure, Policy Secure, Connect Secure

Quotes

• Previously unknown and interesting backdoor
• I don't see how Ivanti survives as an enterprise firewall brand
• We initially flagged the code in question during our internal review
• Pulse Secure runs an 11-year-old version of Linux which hasn't been supported since November 2020
• So far, we have only been seeing payloads similar to the original proof-of-concept (PoC) [exploit] published by watchTowr

Headlines

• Feb. 16, 2024 - New Ivanti Vulnerability Observed as Widespread Security Concerns Grow
• Feb. 15, 2024 - Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
• Feb. 15, 2024 - Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries
• Feb. 13, 2024 - Ivanti Gets Poor Marks for Cyber Incident Response
• Feb. 13, 2024 - Attackers injected novel DSLog backdoor into 670 vulnerable Ivanti devices (CVE-2024-21893)
• Feb. 12, 2024 - Fortinet, Ivanti Keep Customers Busy With Yet More Critical Bugs

CVE-2024-21412

HIGH CVSS 8.10 EPSS Score 1.01 EPSS Percentile 83.23

CISA Known Exploited Remote Code Execution

Published: Feb. 13, 2024

Internet Shortcut Files Security Feature Bypass Vulnerability

Vendor Impacted: Microsoft

Product Impacted: Windows

Quotes

• An authorized attacker must send the user a malicious file and convince the user to open it
• Could lead to the attacker gaining the ability to interact with other tenant’s applications and content
• We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers
• An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability
• The impact of this vulnerability is profound, compromising security and undermining trust in protective mechanisms like SmartScreen
• An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks
• In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware
• Inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both
• The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf
• The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both
• When faced with uncertain intrusions, behaviors and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains
• In the exploitation scenario, an attacker must send a specifically crafted file to a target user and persuade them to open it, since the attacker cannot compel the user to engage with the malicious content directly
• In late December 2023, we began tracking a campaign by the Water Hydra group that contained similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV) components
• Water Hydra deployed a spearphishing campaign on forex trading forums and stock trading Telegram channels to lure potential traders into infecting themselves with DarkMe malware using various social engineering techniques, such as posting messages asking for or providing trading advice, sharing fake stock and financial tools revolving around graph technical analysis, graph indicator tools, all of which were accompanied by a URL pointing to a trojan horse stock chart served from a compromised Russian trading and cryptocurrency information site (fxbulls[.]ru)

Headlines

• Feb. 15, 2024 - Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug
• Feb. 15, 2024 - CISA adds Microsoft Windows bugs to its Known Exploited Vulnerabilities catalog
• Feb. 15, 2024 - Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation
• Feb. 14, 2024 - Water Hydra’s Zero-Day Attack Chain Targets Financial Traders
• Feb. 14, 2024 - Microsoft Fixes Two Zero-Days in February Patch Tuesday
• Feb. 14, 2024 - Microsoft Patch Tuesday for February 2024 fixed 2 actively exploited 0-days
• Feb. 14, 2024 - DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability
• Feb. 14, 2024 - Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days
• Feb. 14, 2024 - Urgent: Water Hydra Exploits Zero-Day to Target Traders
• Feb. 14, 2024 - CVE-2024-21351 & CVE-2024-21412: Two 0-days flaws in Microsoft February 2024 Patch Tuesday
• Feb. 14, 2024 - Microsoft squashes security bugs under active exploitation
• Feb. 13, 2024 - Microsoft patches 80 vulnerabilities
• Feb. 13, 2024 - February 2024 Patch Tuesday: Updates and Analysis
• Feb. 13, 2024 - Fat Patch Tuesday, February 2024 Edition –
• Feb. 13, 2024 - Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs
• Feb. 13, 2024 - Hackers used new Windows Defender zero-day to drop DarkMe malware
• Feb. 13, 2024 - Microsoft patches two zero-days exploited by attackers (CVE-2024-21412, CVE-2024-21351)
• Feb. 13, 2024 - Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws
• Feb. 13, 2024 - Critical Patches Issued for Microsoft Products, February 13, 2024

CVE-2023-38831

HIGH CVSS 7.80 EPSS Score 33.60 EPSS Percentile 96.92

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Aug. 23, 2023

RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.

Vendor Impacted: Rarlab

Product Impacted: Winrar

Quotes

• Aligns with a surge of cybercriminal threat activity after a notable absence of many threat actors and malware
• An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks
• Inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both
• The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both
• When faced with uncertain intrusions, behaviors and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains
• In late December 2023, we began tracking a campaign by the Water Hydra group that contained similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV) components

Headlines

• Feb. 14, 2024 - Water Hydra’s Zero-Day Attack Chain Targets Financial Traders
• Feb. 14, 2024 - BumbleBee Malware Buzzes Back on the Scene After 4-Month Hiatus
• Feb. 14, 2024 - Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days
• Feb. 14, 2024 - Urgent: Water Hydra Exploits Zero-Day to Target Traders
• Feb. 14, 2024 - Microsoft squashes security bugs under active exploitation
• Feb. 13, 2024 - Hackers used new Windows Defender zero-day to drop DarkMe malware
• Feb. 13, 2024 - Bumblebee malware attacks are back after 4-month break

CVE-2024-21351

HIGH CVSS 7.60 EPSS Score 0.57 EPSS Percentile 77.15

CISA Known Exploited

Published: Feb. 13, 2024

Windows SmartScreen Security Feature Bypass Vulnerability

Vendor Impacted: Microsoft

Product Impacted: Windows

Quotes

• An authorized attacker must send the user a malicious file and convince the user to open it
• Could lead to the attacker gaining the ability to interact with other tenant’s applications and content
• We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers
• An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability
• The impact of this vulnerability is profound, compromising security and undermining trust in protective mechanisms like SmartScreen
• Inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both
• The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf
• The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both
• In the exploitation scenario, an attacker must send a specifically crafted file to a target user and persuade them to open it, since the attacker cannot compel the user to engage with the malicious content directly
• ASP.NET SignalR is a library for ASP.NET developers that simplifies the process of adding real-time web functionality to applications. Real-time web functionality is the ability to have server code push content to connected clients instantly as it becomes available, rather than having the server wait for a client to request new data
• Water Hydra deployed a spearphishing campaign on forex trading forums and stock trading Telegram channels to lure potential traders into infecting themselves with DarkMe malware using various social engineering techniques, such as posting messages asking for or providing trading advice, sharing fake stock and financial tools revolving around graph technical analysis, graph indicator tools, all of which were accompanied by a URL pointing to a trojan horse stock chart served from a compromised Russian trading and cryptocurrency information site (fxbulls[.]ru)

Headlines

• Feb. 16, 2024 - Microsoft fixes two zero-days with Patch Tuesday release
• Feb. 15, 2024 - Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug
• Feb. 15, 2024 - CISA adds Microsoft Windows bugs to its Known Exploited Vulnerabilities catalog
• Feb. 15, 2024 - Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation
• Feb. 14, 2024 - Microsoft Fixes Two Zero-Days in February Patch Tuesday
• Feb. 14, 2024 - Microsoft Patch Tuesday for February 2024 fixed 2 actively exploited 0-days
• Feb. 14, 2024 - Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days
• Feb. 14, 2024 - CVE-2024-21351 & CVE-2024-21412: Two 0-days flaws in Microsoft February 2024 Patch Tuesday
• Feb. 14, 2024 - Microsoft squashes security bugs under active exploitation
• Feb. 13, 2024 - Microsoft patches 80 vulnerabilities
• Feb. 13, 2024 - February 2024 Patch Tuesday: Updates and Analysis
• Feb. 13, 2024 - Fat Patch Tuesday, February 2024 Edition –
• Feb. 13, 2024 - Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs
• Feb. 13, 2024 - Microsoft patches two zero-days exploited by attackers (CVE-2024-21412, CVE-2024-21351)
• Feb. 13, 2024 - Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws
• Feb. 13, 2024 - First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities
• Feb. 13, 2024 - Critical Patches Issued for Microsoft Products, February 13, 2024

CVE-2023-43770

MEDIUM CVSS 6.10 EPSS Score 11.47 EPSS Percentile 95.06

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Sept. 22, 2023

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.

Vendors Impacted: Debian, Roundcube

Products Impacted: Webmail, Debian Linux

Quotes

• We strongly recommend to update all productive installations of Roundcube 1.6.x with this new version
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages

Headlines

• Feb. 13, 2024 - CISA Warns of Roundcube Webmail Vulnerability Exploitation
• Feb. 13, 2024 - Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770)
• Feb. 13, 2024 - Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now
• Feb. 12, 2024 - CISA: Roundcube email server bug now exploited in attacks
• Feb. 12, 2024 - CISA adds Roundcube Webmail Persistent XSS bug to its Known Exploited Vulnerabilities catalog
• Feb. 12, 2024 - CISA warns of actively exploited' flaw in Roundcube Webmail (CVE-2023-43770)