Flash Notice: Microsoft Patches Multiple Vulnerabilities, Including Two Under Active Exploitation

overview

Microsoft recently released security updates for 118 vulnerabilities that can be found across the breadth of its software offerings. As of October 8, two of these vulnerabilities have been recorded as under active exploitation.  

CVE-2024-43572 is listed as a Remote Code Execution vulnerability or an Arbitrary Code Execution vulnerability as it requires access to a specific machine to exploit; either through physical access, open Secure Shell communication, or by tricking a local user into running malicious code (phishing). Microsoft has not disclosed details as to how this vulnerability has been exploited but, phishing attacks are the most likely avenue of attack given their average success rate and overall low complexity relative to the other two methods. Ensuring employees understand how to spot and report phishing attacks remains crucial to defense in addition to patching the vulnerability.  

CVE-2024-43573 is listed as a platform spoofing vulnerability and relies on the existence of the Microsoft HTML scripting platform, which is still supported by Microsoft despite many of its visible applications, such as Internet Explorer 11 and Edge Legacy, being deprecated. Of the two vulnerabilities under active exploitation, 43573 is the more serious vulnerability because it can be exploited remotely via Cross-site scripting and does not necessarily require any kind of local exploit for an attacker to take malicious action inside the network.  

In both cases, the best counter-measure remains patching the vulnerabilities as soon as possible.  

how avertium is protecting our customers

IOCs ADDED TO OUR THREAT FEEDS

At this time, there are no known IoCs associated with exploitation of these vulnerabilities. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

TTPs TO MONITOR

1. Pharming

Tactic: Credential Access (T1556.002 - Steal or Forge Certificates) 

• Pharming manipulates DNS settings to route users to fraudulent sites to capture credentials or personal information. 

Tactic: Initial Access (T1071) 

• When a victim submits their data on a fake website, the attacker gains initial access through stolen credentials or session hijacking. 

2. Angler Phishing

Tactic: Initial Access (T1566.001) 

• Attackers posing as legitimate customer support accounts use social engineering techniques to lure victims into clicking malicious links or revealing credentials. 

3. Pop-up Phishing

Tactic: Collection (T1566 - Phishing) 

• Adversaries may use fake pop-ups to trick users into entering their credentials or downloading malicious software. 

• CROSS-SITE SCRIPTING could allow an attacker to escalate privileges if the injected code enables actions on behalf of the user, such as performing tasks with the victim’s elevated permissions (e.g., admin access). 
• Technique: Abuse Elevation Control Mechanism (T1548.002 - Bypass User Account Control) 
  • If the CROSS-SITE SCRIPTING exploit targets a privileged user or administrator, the attacker may be able to leverage the user’s higher privileges to perform malicious activities. 

• CROSS-SITE SCRIPTING can evade defenses by disguising the malicious payload as legitimate content, or by obfuscating the script to avoid detection by web application firewalls or input sanitization mechanisms. 
• Technique: Obfuscated Files or Information (T1027) 
  • Attackers can obfuscate the malicious script to bypass detection mechanisms such as web filters or content security policies. 

ADDITIONAL SERVICE OFFERINGS

• Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  
• Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
• Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
  • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
  • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).

SUPPORTING DOCUMENTATION