| Threat overview: Cloud identity abuse. With more organizations moving to hybrid or cloud-only models, it is becoming increasingly important to secure both cloud resources as well as cloud identities. Cloud identity compromise was initially thought to be a technique reserved for only a handful of advanced actors in the past such as Midnight Blizzard with the Solar Winds supply chain compromise. However, other tracked actors including Peach Sandstorm, Storm-0219, and Octo Tempest have recently shown sophisticated competency in the cloud across a large variety of industry verticals. |
| | Activity profile: Threat actors attempt SQL to cloud lateral movement. Microsoft security researchers recently identified an attack where attackers attempted to move laterally to a cloud environment through a SQL Server instance. This attack technique demonstrates an approach we've seen in other cloud services such as VMs and Kubernetes cluster, but not in SQL Server. |
| | Vulnerability profile: WS_FTP Server critical vulnerabilities. Multiple vulnerabilities are impacting WS_FTP Server, a secure file transfer solution, according to a Progress Software advisory. Two of the identified vulnerabilities affecting versions prior to 8.7.4 and 8.8.2 are rated critical: CVE-2023-40044 and CVE-2023-42657. These vulnerabilities could allow an unauthenticated attacker to launch remote commands and perform file operations outside of their authorized folder path. |
| | Vulnerability profile: Pre-authentication RCE chain on SharePoint Server 2019. On September 25, 2023 STAR Labs researcher Nguyễn Tiến Giang published a technical analysis describing a pre-authentication remote code execution exploit chain impacting vulnerable versions of SharePoint Server 2019. |
| | Activity profile: Diamond Sleet compromises TeamCity servers. Diamond Sleet, a North Korean based threat actor, has compromised multiple servers running JetBrains TeamCity. The servers were likely compromised from the recently disclosed vulnerability CVE-2023-42793. Once Diamond Sleet successfully compromised the server, two payloads were downloaded from other infrastructure compromised earlier by Diamond Sleet. Microsoft also observed Diamond Sleet deploying files to the compromised servers that were used in dynamic link library (DLL) search-order hijacking attacks. |
| | Actor profile: Storm-1575. The actor group Microsoft tracks as Storm-1575 is behind the development, support, and sale of a phishing-as-a-service (PhaaS) platform with adversary-in-the-middle (AiTM) capabilities. This platform, known as Dadsec, has been active since approximately May 5, 2023. |
| | Actor profile: Pinstripe Lightning. The threat actor that Microsoft tracks as Pinstripe Lightning is a Gaza-based actor active as far back as 2015. Pinstripe Lightning is known to target Palestinian government agencies, universities, and pro-Fateh organizations in the West Bank. |
| | Vulnerability profile: CVE-2023-41763 Skype for Business Elevation of Privilege vulnerability. Microsoft has released a patch for CVE-2023-41763, an elevation of privilege vulnerability in Skype for Business, which was reported by a third-party researcher in May 2022. Proof of concept exploit code shows that this vulnerability enables server-side request forgery (SSRF) attacks which could cause a server to make requests to unintended locations. |
| | Actor profile: Diamond Sleet. The actor that Microsoft tracks as Diamond Sleet (formerly ZINC) is a North Korea-based activity group. Diamond Sleet is known to target media, defense, and information technology (IT) industries globally. Diamond Sleet focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction. |
| | Activity profile: Storm-0062 attempts to exploit CVE-2023-22515 in Atlassian Confluence. Microsoft has observed nation-state actor Storm-0062 attempting to exploit CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. CVE-2023-22515 is a critical privilege escalation vulnerability in Atlassian Confluence Data Center and Server. Any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application. The Storm-0062 campaign targets government and defense industrial base organizations in North America and Europe. |
| | Actor profile: Storm-0539. The actor that Microsoft tracks as Storm-0539 is a financially motivated group active since late 2021. Storm-0539 is known to primarily target retail organizations for gift card fraud and theft. Storm-0539 carries out extensive reconnaissance of targeted organizations in order to craft convincing phishing lures and steal user credentials and tokens for initial access. The actor is well-versed in cloud providers and leverages resources from the target organization’s cloud services for post-compromise activities. |
| | Vulnerability profile: CVE-2023-4863 and CVE-2023-5217 vulnerabilities in WebP and libvpx. In September 2023, Google published CVE-2023-4863 and CVE-2023-5217 to address vulnerabilities in WebP (a compression format for images on the web) and libvpx (a software video codec library) that may result in remote code execution. The subsequent impact to Microsoft products has been documented in the Security Update Guide and the MSRC blog. Google is aware that exploits exist for both vulnerabilities. |
| | Actor profile: Storm-0249. The actor Microsoft tracks as Storm-0249 (DEV-0249) is an access broker active since 2021 and known for distributing BazaLoader, Gozi, Emotet, IcedID, and Bumblebee malware. Storm-0249 typically uses phishing emails to distribute their malware payloads in opportunistic attacks. Microsoft observed Storm-0249 activity leading to hands-on-keyboard activity by ransomware operators like Storm-0501 (DEV-0501). |
| | Actor profile: Storm-0589. The actor that Microsoft tracks as Storm-0589 (DEV-0589) is an activity group based out of Iran. Storm-0589 is known to target organizations in government, travel, hospitality, human resources, information technology, and telecommunications sectors in countries in Africa, Asia, Europe, and the Middle East. Storm-0589 has used a combination of commodity and custom tools, notably a custom scanner, in its operations. Given the profile of targeted organizations and the nature of known post-exploitation activity, Microsoft assesses that this group is seeking data that can be used to identify and track individuals of interest. |
| | Vulnerability profile: CVE-2023-20198 and CVE-2023-20273 Cisco IOS XE web UI feature vulnerabilities. CVE-2023-20198 and CVE-2023-20273 are critical vulnerabilities in Cisco IOS XE Software web UI that could let an attacker remotely access and elevate privileges on impacted systems to achieve full compromise. Attackers reportedly exploited these then-zero-day vulnerabilities prior to their public disclosure. Microsoft has observed activity indicating threat actors are actively targeting these security flaws, and many impacted devices remain exposed to the web. |
| | Vulnerability profile: CVE-2023-38831 in WinRAR. CVE-2023-38831 is a vulnerability in the WinRAR compression tool, which an attacker can exploit to run arbitrary code using a weaponized archive file. The vulnerability was reportedly exploited as early as April 2023 prior to its public disclosure. Since the disclosure in July 2023, exploitation activity increased in both widespread phishing operations as well as targeted spear phishing operations by threat actors such as Forrest Blizzard, Twill Typhoon, and Opal Sleet. Proof-of-concept code is widely available, further contributing to adoption among threat actors. |
| | Vulnerability profile: CVE-2023-4966 and CVE-2023-4967 in NetScaler ADC and NetScaler Gateway. CVE-2023-4966 and CVE-2023-4967 are vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway that, if exploited, can result in information disclosure and denial-of-service, respectively. Citrix disclosed these issues in an October 10, 2023, advisory and has since provided builds addressing the flaws. |
