Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, March 16, 2023, 2:33 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Latitude Financial Hit With Customer Data Breach

Shares in lender and digital payment processor Latitude Group Holdings have been suspended from trading on the ASX following their notification of a cyber incident. In their announcement, the firm stated that "unusual activity" detected over the last few days is believed to have originated from a major vendor used by Latitude". Despite their taking immediate action, the attackers were able to obtain employee credentials and then use those to steal information held by two other service providers.

From the first provider, the attackers stole approximately 103,000 identification documents - more than 97% of them drivers' licences - while approximately 225,000 customer records were stolen from the second service provider.

Latitude has shut down some systems - both internal and customer-facing - while it works to contain the attack in collaboration with external specialists and the Australian Cyber Security Centre. It is also contacting the affected customers.

Here we go again; this is the second breach of identity documents, specifically drivers' licences, in recent months (the first being from Optus). Replacement of drivers' licences is a particularly painful process, and there is a lesson to be learned here about the retention of documents used for identity verification after that process has been performed. Identity documents should be viewed as a potential liability and not an information asset. If we don't fix this, expect legislation.

Gardy, Mark, Cyber Incident, ASX Announcement, 16 March 2023. Available online at https://www.asx.com.au/asx/statistics/displayAnnouncement.do?display=pdf&idsId=02644401.

Microsoft 365 CVSS 9.8 Vulnerability Being Exploited in the Wild

A couple of days ago, the US Cybersecurity & Infrastructure Security Agency added three new "known exploited vulnerabilities" to its catalog. One of these is CVE-2023-23397 (see also Microsoft's vulnerability page), which has variously been categorised as a remote code execution or privilege escalation vulnerability in Microsoft Outlook. Most significantly, this vuln merits a CVSS 3.x score of 9.8, which makes it critical.

The vulnerability allows a remote and unauthenticated attacker to obtain a victim's logon credentials by simply sending a specially-crafted malicious email. But it gets worse: the victim doesn't even need to look at the email. As Microsoft notes, the code in the malicious email "triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane". The code then executes a pass-the-hash attack by sending the victim's NTLMv2 hash to a C2 server the attacker controls, allowing the attacker to reuse the hash with other services.

The vulnerability is present in both 32-bit and 64-bit versions of Microsoft 365 for Enterprise, as well as Microsoft Office 2013, 2016 and 2019. Interestingly, according to MDSec - who reverse-engineered one mitigation approach in order to create a proof-of-concept - the vulnerability actually exists in the Outlook code which allows the user to select an audio file to be played when a reminder for a mail item is triggered. Cute, but unnecessary - remember, the enemy of security is complexity.

According to Microsoft's Threat Analytics reports, this exploit has been used against some 15 European government, military, energy and transport organizations since April 2022, with attribution to the Russian GRU unit APT28, a.k.a. Fancy Bear. And of course, now that a PoC is available, expect others to develop their own exploits, making patching even more critical.

Meanwhile, suggested mitigations include disabling the use of NTLMv2 authentication by adding users to the "Protected Users" security group, as well as blocking outbound traffic on TCP port 445 (SMB).

Chell, Dominic, Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability, blog post, 14 March 2023. Available online at https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/.

Targett, Ed, Urgent: Microsoft 365 Apps being exploited in wild through CVSS 9.8 bug, The Stack, 14 March 2023. Available online at https://thestack.technology/critical-microsoft-outlook-vulnerability-cve-2023-23397/.

CISA Known Exploited Vulnerabilities Updates

Since we mentioned them above, here are the latest additions to the CISA Known Exploited Vulnerabilities Catalog:

  • CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability (covered above)
  • CVE-2023-24880 - Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
  • CVE-2022-41328 - Fortinet FortiOS Path Traversal Vulnerability
  • CVE-2023-26360 - Adobe ColdFusion Improper Access Control Vulnerability

In fact, Adobe has released security updates for a number of their products; here are the relevant Adobe Security Bulletins:

CISA, CISA Adds Three Known Exploited Vulnerabilities to Catalog, Alert, 14 March 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/03/14/cisa-adds-three-known-exploited-vulnerabilities-catalog.

CISA, CISA Adds One Known Exploited Vulnerability to Catalog, Alert, 15 March 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/03/15/cisa-adds-one-known-exploited-vulnerability-catalog.

CISA, Adobe Releases Security Updates for Multiple Products, Alert, 14 March 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/03/14/adobe-releases-security-updates-multiple-products.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: