Emerging Cyber Threats of March 2023

The cybersecurity landscape is constantly evolving, with new threats emerging every month. In March 2023, the digital world witnessed numerous zero-day vulnerabilities and ransomware campaigns that posed significant challenges. Fortunately, Picus Labs promptly added attack simulations for these emerging threats to the comprehensive Picus Threat Library.

This blog briefly explains the top cyber threats witnessed in March 2023. You can easily simulate these threats and validate and improve your security controls against them with the Picus Complete Security Validation Platform.

Simulate Emerging Cyber Threats with 14-Day Free Trial of the Picus Platform

Top Cyber Threats of March 2023

1. CVE-2023-23397: Microsoft Office Outlook Privilege Escalation Vulnerability

2. CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability

3. CISA Alert AA23-075A: LockBit 3.0

4. CISA Alert AA23-074A: Telerik UI Vulnerability

5. CVE-2023-24880: Vulnerability Exploited by Magniber Ransomware Group

6. CISA Alert AA23-061A: Royal Ransomware

   1. CVE-2023-23397: Microsoft Office Outlook Privilege Escalation Vulnerability

CVE-2023-23397 is a critical vulnerability found in Microsoft Outlook [1] that allows attackers to obtain users' authentication credentials (Net-NTLMv2) without any user interaction. The vulnerability arises from Outlook's inability to handle specific reminder properties (PidLidReminderFileParameter [2]), which attackers can exploit to send malicious messages that trigger an authentication request over TCP 445 to a remote SMB server under the attacker's control [3]. By capturing this authentication request, attackers can obtain the user's NTLMv2 hash.

APT28, a threat actor linked to Russia's GRU, is known to have exploited the critical CVE-2023-23397 vulnerability in Microsoft Outlook between April and December 2022 [4]. The group used phishing emails, malvertising, and drive-by downloads to send malicious Outlook notes and tasks to steal users' NTLMv2 hashes, which allowed them to authenticate to attacker-controlled SMB shares and gain access to sensitive information and systems. In fact, APT28 later used the stolen credentials for lateral movement within the victim's networks and exfiltrated emails for specific accounts by changing Outlook mailbox folder permissions.

To address the CVE-2023-21716 vulnerability, organizations can take several measures such as applying the latest security updates, enabling multi-factor authentication, and monitoring various log sources to detect indicators of attack or compromise. Microsoft product detections such as Microsoft Defender for Endpoint and Microsoft Defender for Office 365 can also help identify threats related to the vulnerability [5]. Additionally, Microsoft has released a PowerShell script [6] that scans for the PidLidReminderFileParameter" property in emails, calendar entries, and task items. The script can be downloaded from Microsoft's GitHub repository and used to identify and remove any problematic items. Get the script here.

We strongly suggest simulating Microsoft Office Outlook Privilege Escalation CVE-2023-23397 attacks to test the effectiveness of your security controls against vulnerability exploitation attacks using the Picus The Complete Security Validation Platform.  

Picus Threat Library swiftly included the following threats for Microsoft Office Outlook Privilege Escalation CVE-2023-23397 attacks.

For more information, visit our latest blog on the CVE-2023-23397 Microsoft Office Outlook privilege escalation vulnerability.

2. CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability

On February 14, 2023, Microsoft released a patch to address a severe remote code execution vulnerability in Microsoft Office Word's RTF parser, CVE-2023-21716, as part of the Patch Tuesday [7]. This vulnerability has a CVSS score of 9.8 (Critical) and allows attackers to execute arbitrary code with the victim's privileges via RTF files.

The CVE-2023-21716 is a heap corruption vulnerability found in MS Office Word's RTF parser [8]. Specifically, the parser loads the font ID value when dealing with font tables (\fonttbl) and fills the upper bits of EDX with the font ID value. If the font table contains too large (\f###) of a font ID value (the numbers after a \f), the RTF parser corrupts the heap and causes a negative offset in the memory held in ESI, which can then be exploited for arbitrary command execution with a properly crafted heap layout.

Attackers can exploit this vulnerability by delivering a maliciously crafted RTF file via email or other means. When the victim either opens or previews the file, the attacker can execute arbitrary commands on the victim's system with the user’s privileges and potentially gain remote access to the system. 

A wide variety of Microsoft Office, SharePoint, and 365 Apps versions are affected by this vulnerability, including Microsoft 365 Apps, Office 2019, Office LTSC 2021, Office Online Server, Microsoft Word, and Microsoft SharePoint.  Microsoft has advised users to update their software to the latest versions as soon as possible. For users who cannot patch their software, Microsoft has provided workarounds such as configuring Microsoft Outlook to read all standard mail in plaintext or using Microsoft Office File Block policy to prevent MS Office from opening RTF documents from untrusted sources. Thus, we strongly suggest simulating Microsoft Word CVE-2023-21716 attacks to test the effectiveness of your security controls against vulnerability exploitation attacks using the Picus The Complete Security Validation Platform.

Picus Threat Library has included the following threats that exploits the Microsoft Word CVE-2023-21716 remote code execution vulnerability:

If you are interested in learning more, visit our blog on the CVE-2023-21716 zero-day vulnerability.

3. CISA Alert AA23-075A: LockBit 3.0

In March 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on LockBit 3.0 ransomware, a product of the infamous Ransomware-as-a-Service (RaaS) gang, LockBit. This group, which is active since September 2022, targets various industries and countries, and is responsible for nearly 40% of ransomware attacks worldwide [9]. In fact, it is estimated that the LockBit ransomware group has gained more than $100 million with their attack campaigns, making them one of the most prolific ransomware groups.

LockBit 3.0, a highly modular and evasive variant, gains initial access through methods such as malware-laced files, valid account exploitation, remote desktop services, and phishing emails. For example, in one attack, they used a zip file containing SocGholish malware to deploy a Cobalt Strike beacon and gather system information [10].

To maintain persistence and evade defenses, LockBit 3.0 alters registry settings, uses autostart techniques, and obfuscates files. Discovery involves tools like Bloodhound, Seatbelt [10], and network scanners, while lateral movement leverages Cobalt Strike beacons, remote desktop software, and RDP sessions with compromised high-privileged accounts.

Command and control are maintained through frameworks like Cobalt Strike, FileZilla, and PuTTY Link (Plink) [11]. Data exfiltration is executed using web services such as MEGA and cloud storage managers like rclone. The impact stage, on the other hand,  includes data destruction, inhibiting system recovery by deleting log files, volume shadow copies, and deploying ransomware with tools like PsExec. 

LockBit 3.0 employs hybrid encryption using AES and RSA algorithms for data encryption. The complexity and evasiveness of LockBit 3.0 make it a significant cybersecurity threat to organizations worldwide, emphasizing the importance of robust defense measures.

We also strongly suggest simulating LockBit 3.0 ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. 

Picus Threat Library includes the following threats for LockBit ransomware: 

If you want to learn more about Lockbit 3.0 ransomware, check out our blog about it.

4. CISA Alert AA23-074A: Telerik UI Vulnerability 

The joint advisory AA23-074A by CISA, FBI, and MS-ISAC details the exploitation of a critical Progress Telerik vulnerability (CVE-2019-18935) by cyber threat actors, including an APT actor, targeting a US federal civilian executive branch agency. This vulnerability, with a CVSS score of 9.8 (Critical), is due to a .NET deserialization flaw in the RadAsyncUpload function of Progress Telerik UI for ASP.NET AJAX versions prior to 2019.3.1023. 

Attackers can exploit this vulnerability if they gain access to encryption keys through exploiting other vulnerabilities like CVE-2017-11317 or CVE-2017-11357. In November 2022, threat actors successfully exploited the CVE-2019-18935 vulnerability on a Microsoft IIS server at an FCEB agency, potentially leveraging other known Telerik vulnerabilities as well. Multiple threat actors, including the XE Group, were involved in reconnaissance and scanning activities related to this exploitation.

After exploiting CVE-2019-18935, the attackers uploaded malicious DLL files disguised as PNG files to the C:\Windows\Temp directory. They then executed these files via the legitimate w3wp.exe process using DLL injection. Once executed, the DLL files dropped and executed reverse shell utilities for unencrypted communication with the attackers’ Command and Control (C2) IP addresses. Although the threat actors removed some malicious artifacts, there was no evidence of privilege escalation or lateral movement.

A proof-of-concept (PoC) exploit for the CVE-2019-18935 vulnerability is available on GitHub [12], allowing attackers to upload a DLL to a target server directory and execute arbitrary code using the insecure deserialization exploit. Therefore, we highly recommend organizations to effectively test their security controls against CVE-2019-18935 RCE attacks on Telerik UI using the Picus The Complete Security Validation Platform. 

The Picus Threat Library includes the following threat for exploiting the CVE-2019-18935 vulnerability. 

To read and learn more about the Telerik UI vulnerability (CVE-2019-18935), visit our blog here. 

5. CVE-2023-24880: Vulnerability Exploited by Magniber Ransomware Group

In March 2023, Microsoft MSRC reported a zero-day vulnerability, CVE-2023-24880 [13], affecting Windows 10, 11, and Server 2016 and later versions. This vulnerability involves a Windows SmartScreen security bypass, which threat actors exploit to deliver Magniber ransomware [13]. Google TAG researchers have linked this exploit to the Magniber ransomware, and Picus Labs has added attack simulations to its Threat Library.

Magniber ransomware, first detected in 2017, has evolved over time, using obfuscation and evasion techniques to remain effective. In September 2022, the malware began exploiting CVE-2022-44698, a SmartScreen bypass vulnerability, through JavaScript [14]. Microsoft patched this vulnerability in December 2022, but the CVE-2023-24880 zero-day exploit renders this patch ineffective.

The CVE-2023-24880 vulnerability stems from the unaddressed instances of THROW_HR calls within the smartscreen.exe file [14], which can cause an error in the shdocvw.dll module's DoSafeOpenPromptForShellExec function. Attackers craft a malicious file with a signature that generates an error, bypassing the security warning and executing the file without user interaction. This allows the Magniber ransomware to be deployed onto the target system.

We strongly recommend simulating Magniber ransomware attacks to test the effectiveness of your security controls not just against Magniber, but also against many other ransomware attacks, using the Picus Complete Security Validation Platform.

Picus Threat Library includes the following threats for Magniber ransomware: 

If you want to learn about how attackers exploit the CVE-2023-24880 vulnerability to deliver the Magniber ransomware, visit our blog here.

6. CISA Alert AA23-061A: Royal Ransomware

In March 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory concerning Royal ransomware (DEV-0569) [15]. This ransomware has primarily targeted sectors such as healthcare, communications, manufacturing, and education in the United States and Brazil [16].

The Royal ransomware threat actors employ a diverse set of tactics, techniques and procedures (TTPs) throughout their attack campaigns. Initially, they gain access to and establish persistence in their victims' systems using social engineering, exploiting vulnerable public-facing applications such as VMware ESXi servers [17], and launching phishing campaigns with malicious attachments and links.

To execute commands within infected systems, the attackers utilize batch scripts, which help them perform various tasks, including adding new users, modifying domain policies, collecting information about the victim, downloading additional malware for persistence, and deleting malicious artifacts to avoid further analysis.

In order to evade defenses, the threat actors disable antivirus software and subvert antivirus protocols, making it more difficult for security measures to detect their malicious activities during data encryption and exfiltration.

For lateral movement, adversaries use tools like PsExec to move within the victim's network and potentially compromise domain controllers through valid accounts. They employ command and control (C2) servers to transfer additional malware and remote monitoring software, such as AnyDesk, Atera, and LogMeIn [18]. They use an open-source tunneling tool called Chisel for secure communication with their C2 servers.

The attackers exfiltrate data using a range of tools, including Cobalt Strike, MegaCMD, rclone, SharpExfil, and Ursnif/Gozi [19]. The Royal ransomware employs a custom encryption method, which partially encrypts files based on their size and specific parameters, in order to avoid detection. The ransomware also uses the Windows Restart Manager to identify files in use or blocked by other applications.

We also strongly suggest simulating Royal ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform.

Picus Threat Library includes the following threats for Royal ransomware: 

If you want to learn more about the tactics, techniques and procedures used by the Royal ransomware, visit our blog here. 

References

[1] “Security Update Guide - Microsoft Security Response Center.” [Online]. Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397. [Accessed: Mar. 28, 2023]

[2] “Microsoft Mitigates Outlook Elevation of Privilege Vulnerability.” [Online]. Available: https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/. [Accessed: Mar. 28, 2023]

[3] “Patch CVE-2023-23397 Immediately: What You Need To Know and Do,” Trend Micro, Mar. 21, 2023. [Online]. Available: https://www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immediately-what-you-need-to-know-and-do.html. [Accessed: Mar. 28, 2023]

[4] KS Threat Research, “CVE-2023-23397 – Microsoft Outlook Privilege Elevation Critical Vulnerability,” Kudelski Security Research, Mar. 15, 2023. [Online]. Available: https://research.kudelskisecurity.com/2023/03/15/cve-2023-23397-microsoft-outlook-privilege-elevation-critical-vulnerability/. [Accessed: Mar. 28, 2023]

[5] M. I. Response, “Guidance for investigating attacks using CVE-2023-23397,” Microsoft Security Blog, Mar. 24, 2023. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/. [Accessed: Mar. 28, 2023]

[6] “CVE-2023-23397 script - Microsoft - CSS-Exchange.” [Online]. Available: https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/. [Accessed: Mar. 28, 2023]

[7] “Security Update Guide - Microsoft Security Response Center.” [Online]. Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716. [Accessed: Mar. 29, 2023]

[8] “GitHub - gyaansastra/CVE-2023-21716: A vulnerability within Microsoft Office’s wwlib allows attackers to achieve remote code execution with the privileges of the victim that opens a malicious RTF document. The attacker could deliver this file as an email attachment (or other means),” GitHub. [Online]. Available: https://github.com/gyaansastra/CVE-2023-21716. [Accessed: Mar. 29, 2023]

[9] HIPAA Journal, “Feds Release Updated Threat Intelligence on LockBit 3.0 Ransomware,” HIPAA Journal, Mar. 21, 2023. [Online]. Available: https://www.hipaajournal.com/feds-release-updated-threat-intelligence-on-lockbit-3-0-ransomware/. [Accessed: Mar. 29, 2023]

[10] “Back in Black: Unlocking a LockBit 3.0 Ransomware Attack,” NCC Group Research Blog, Aug. 19, 2022. [Online]. Available: https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/. [Accessed: Mar. 29, 2023]

[11] “#StopRansomware: LockBit 3.0,” Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a. [Accessed: Mar. 29, 2023]

[12] “GitHub - noperator/CVE-2019-18935: RCE exploit for a .NET JSON deserialization vulnerability in Telerik UI for ASP.NET AJAX,” GitHub. [Online]. Available: https://github.com/noperator/CVE-2019-18935. [Accessed: Mar. 29, 2023]

[13] “Security Update Guide - Microsoft Security Response Center.” [Online]. Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880. [Accessed: Mar. 29, 2023]

[14] P. Schläpfer, “Magniber Ransomware Targets Users with Fake Software Updates,” HP Wolf Security, Oct. 13, 2022. [Online]. Available: https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/. [Accessed: Mar. 29, 2023]

[15] “#StopRansomware: Royal Ransomware,” Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a. [Accessed: Mar. 29, 2023]

[16] “Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks,” Trend Micro, Dec. 21, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html. [Accessed: Mar. 29, 2023]

[17] “Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers,” Trend Micro, Feb. 20, 2023. [Online]. Available: https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html. [Accessed: Mar. 29, 2023]

[18] I. Arghire, “Organizations Warned of Royal Ransomware Attacks,” SecurityWeek, Mar. 03, 2023. [Online]. Available: https://www.securityweek.com/organizations-warned-of-royal-ransomware-attacks/. [Accessed: Mar. 29, 2023]

[19] H. C. Yuceel, “CISA Alert AA23-061A: Royal Ransomware Analysis, Simulation and TTPs,” Mar. 04, 2023. [Online]. Available: https://www.picussecurity.com/resource/blog-cisa-alert-aa23-061a-royal-ransomware-analysis-simulation-and-ttps. [Accessed: Mar. 29, 2023]