Jump to content
  • SeedTheNet

  • Pages

    Show all categories
    SeedTheNet
    August 8, 2023—KB5029247 (OS Build 17763.4737)
    Win 10 Ent LTSC v2019 Win 10 IoT Ent LTSC v2019 Windows 10 IoT Core 2019 LTSC Windows Server 2019 Less Release Date:
    8/8/2023
    Version:
    OS Build 17763.4737
    11/17/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1809, see its update history page. 
    Highlights 
    This update addresses security issues for your Windows operating system. 
    Improvements
    This security update includes improvements. When you install this KB:
    This update addresses an issue that affects apps that use DirectX on older Intel graphics drivers. You might receive an error from apphelp.dll.
    This update affects user mode printer drivers. They unload unexpectedly. This occurs when you print from multiple print queues to the same printer driver.
    This update enhances hinting for some of the letters of the Verdana Pro font family.
    This update affects the Windows Kernel Vulnerable Driver Blocklist, DriverSiPolicy.p7b. It adds drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.
    This update addresses an issue that affects Kerberos constrained delegation (KCD). It fails on read-write domain controllers. The error message is, “KRB_AP_ERR_MODIFIED.” This occurs after you install the November 2022 security updates.
    This update addresses an issue that affects the Windows Management Instrumentation (WMI) repository. This causes an installation error. The issue occurs when a device does not shut down properly.
    This update addresses an issue that affects Event Forwarding Subscriptions. When you add an Event Channel to the subscription, it forwards events you do not need.
    This update addresses a deadlock in Internet Protocol Security (IPsec). When you configure servers with IPsec rules, they stop responding. This issue affects virtual and physical servers.  
    This update addresses an issue that affects Active Directory Federation Services (AD FS). It might take several attempts to sign in to AD FS successfully. This is because the time calculation for the expiration of a single sign on cookie is wrong.
    This update addresses an issue that affects AD Domains and Trusts snap-ins. They fail to enumerate domain trusts. The error message is, "The parameter is incorrect."
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the August 2023 Security Updates.
    Windows 10 servicing stack update - 17763.4640
    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. 
     
      How to get this update
    Before installing this update
    Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    Prerequisite:
    You must install the August 10, 2021 SSU (KB5005112) before installing the LCU. 
     
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
    If you want to remove the LCU
    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5029247.
    For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 17763.4640. 
    SeedTheNet
    Return Address Security Bulletin
    Bulletin ID: AMD-SB-7005
    Potential Impact: Data Confidentiality
    Severity: Medium
    Summary
    AMD has received an external report titled ‘INCEPTION’, describing a new speculative side channel attack. The attack can result in speculative execution at an attacker-controlled address, potentially leading to information disclosure. This attack is similar to previous branch prediction-based attacks like Spectrev2 and Branch Type Confusion (BTC)/RetBleed. As with similar attacks, speculation is constrained within the current address space and to exploit, an attacker must have knowledge of the address space and control of sufficient registers at the time of RET (return from procedure) speculation. Hence, AMD believes this vulnerability is only potentially exploitable locally, such as via downloaded malware, and recommends customers employ security best practices, including running up-to-date software and malware detection tools.
    AMD is not aware of any exploit of ‘Inception’ outside the research environment at this time.
    Refer to Glossary for explanation of terms
    CVE Details
    CVE-2023-20569
    A side channel vulnerability in some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled instruction pointer register, potentially leading to information disclosure.
    Mitigation
    AMD recommends customers apply either the standalone µcode patch or a BIOS update that incorporates the µcode patch, as applicable, for products based on “Zen 3” and “Zen 4” CPU architectures. AMD plans to release updated AGESA™ versions to Original Equipment Manufacturers (OEM), Original Design Manufacturers (ODM) and motherboard manufacturers (MB) on the target dates listed below. Please refer to your OEM, ODM, or MB for a BIOS update specific to your product, which will follow after the dates listed below, as applicable.
    AMD recommends customers apply either the standalone µcode patch or a BIOS update that incorporates the µcode patch, as applicable, for products based on “Zen 3” and “Zen 4” CPU architectures. AMD plans to release updated AGESA™ versions to Original Equipment Manufacturers (OEM), Original Design Manufacturers (ODM) and motherboard manufacturers (MB) on the target dates listed below. Please refer to your OEM, ODM, or MB for a BIOS update specific to your product, which will follow after the dates listed below, as applicable. No µcode patch or BIOS update, which includes the µcode patch, is necessary for products based on “Zen” or “Zen 2” CPU architectures because these architectures are already designed to flush branch type predictions from the branch predictor.
    Operating system (OS) configuration options may also be available to help mitigate certain aspects of this vulnerability. AMD recommends users evaluate their risk environment (including the risk of running untrusted local code) when deciding on OS mitigation options and refer to OS-specific documentation for guidance. “Zen 3” and “Zen 4” based systems will require the µcode patch, which is incorporated in the BIOS update, prior to enabling OS configuration options.
     

     

     

    SeedTheNet
    August 8, 2023—KB5029242 (OS Build 14393.6167)
    Windows 10, version 1607, all editions Windows Server 2016, all editions Release Date:
    8/8/2023
    Version:
    OS Build 14393.6167
    11/19/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of  Windows 10, version 1607, see its update history page.  
    Highlights
    This update addresses security issues for your Windows operating system. 
    Improvements
    This security update includes quality improvements. When you install this KB: 
    This update addresses an issue that affects Kerberos constrained delegation (KCD). It fails on read-write domain controllers. The error message is, “KRB_AP_ERR_MODIFIED.” This occurs after you install the November 2022 security updates.
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.  
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the August 2023 Security Updates.
    Known issues in this update
    Microsoft is not currently aware of any issues with this update.
    How to get this update
    Before installing this update
    Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    If you are using Windows Update, the latest SSU (KB5023788) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog. 
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
     
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5029242.
    SeedTheNet
    August 8, 2023—KB5029250 (OS Build 20348.1906)
    Windows Server 2022 Release Date:
    8/8/2023
    Version:
    OS Build 20348.1906
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page.     
    Note Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.     
    Improvements
    This security update includes quality improvements. When you install this KB:
    This update addresses an issue that affects Microsoft Teams. It fails to send you notifications under certain conditions.
    This update addresses an issue that affects the Windows Management Instrumentation (WMI) repository. This causes an installation error. The issue occurs when a device does not shut down properly.
    This update addresses an issue that affects Event Forwarding Subscriptions. When you add an Event Channel to the subscription, it forwards events you do not need.
    This update addresses an issue that affects apps that use DirectX on older Intel graphics drivers. You might receive an error from apphelp.dll.
    This update enhances hinting for some of the letters of the Verdana Pro font family.
    This update addresses an issue that might affect your computer when you are playing a game. Timeout Detection and Recovery (TDR) errors might occur.
    This update addresses an issue that affects the software-defined networking (SDN) firewall In Memory Object Store DB. Its migration fails.
    This update affects text edit controls in XAML. You cannot edit the controls again after they become read only. This occurs when you use the new Microsoft Input Method Editor for Japanese, Chinese, and Korean.
    This update addresses an issue that affects applications that perform certain actions in a callback. The applications might stop working. These actions include closing a Window (WM_CLOSE).
    This update addresses a deadlock in Internet Protocol Security (IPsec). When you configure servers with IPsec rules, they stop responding. This issue affects virtual and physical servers.
    This update addresses an issue that affects Networking-MPSSVC-Svc. The issue causes a system to enter a restart loop. The stop code is 0xEF.
    This update addresses an issue that causes Windows to fail. This occurs when you use BitLocker on a storage medium that has a large sector size.
    This update affects the Windows Kernel Vulnerable Driver Blocklist, DriverSiPolicy.p7b. It adds drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.
    This update addresses an issue that affects Active Directory Federation Services (AD FS). It might take several attempts to sign in to AD FS successfully. This is because the time calculation for the expiration of a single sign on cookie is wrong.
    This update addresses an issue that affects repair storage jobs. The jobs are suspended. This occurs after two physical disks in two different rack-level fault domains (three fault domain in total) lose communication.
    This update addresses an issue that affects AD Domains and Trusts snap-ins. They fail to enumerate domain trusts. The error message is, "The parameter is incorrect."
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
    For more information about security vulnerabilities, please refer to the Security Update Guide and the August 2023 Security Updates.
    Windows Server 2022 servicing stack update - 20348.1900
    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.
    Known issues in this update
    Symptom
    Workaround
    After installing this update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Only Windows Server 2022 VMs with Secure Boot enabled are affected by this issue. Affected versions of VMware ESXi are versions vSphere ESXi 7.0.x and below.
     
    Please see VMware’s documentation to mitigate this issue.
    Microsoft and VMware are investigating this issue and will provide more information when it is available.
     
     
    How to get this update
    Before installing this update
    Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
     
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Microsoft Server operating system-21H2
    Classification: Security Updates
     
    If you want to remove the LCU
    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
    File Information
    For a list of the files that are provided in this update, download the file information for cumulative update 5029250. 
    For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 20348.1900. 
    SeedTheNet
    Baldur’s Gate 3: Preparing for Launch   Hey everyone!

    We are ONE DAY away from the release of Baldur’s Gate 3, so we hope your hearts are ready for adventure and your eyeballs are primed for tadpoling.

    Many of you have been playing Baldur’s Gate 3 since the start of Early Access, all the way back in 2020. You may have accumulated a backlog of old save games, or even a few mods along the way. Even if you’re a first-time player, there’s information here that will be useful to you.

    To make sure you’re prepared for the journey ahead, we strongly recommend you take the following steps before venturing forth.
      1. Delete your in-game Early Access Saves We’ve taken measures to ensure a smooth transition into the launch version of BG3, but we still recommend deleting your in-game Early Access save files if you still have access to an Early Access version of the game.

    Your Early Access saves and player profiles aren’t compatible with the release version of Baldur’s Gate 3, and leaving them in your save folders may in some fringe cases cause issues. Note: simply deleting the game’s save folder may create conflicts when either Steam Cloud or Larian Cloud re-downloads the save files. Open Baldur’s Gate 3. On the main menu, click  Load Game. Click through old campaigns and select  Delete Campaign.
    This method will ensure your saves are deleted from your computer as well as from the cloud.

    We know it can be hard to say goodbye: if you want to back up your saves before removing them from the cloud, you can move them from  %LocalAppData%\Larian Studios  to another location for safekeeping, before removing them.

      2. Uninstall the Early Access version Having the Early Access version of Baldur’s Gate 3 installed will not speed up your download of the full game, and could affect your installation of the full game. Due to the game being in Early Access, we’re unable to offer pre-loads, as this would break existing Early Access saves. To uninstall: In the Steam client, open your Steam Library. Right click  Baldur’s Gate 3. From the menu that appears, select  Manage -> Uninstall.

      3. Delete your Mods Existing mods will not be compatible with the release version of Baldur’s Gate 3, and will cause issues or break the game in unpredictable ways.

    After uninstalling the game, check your Baldur’s Gate 3 installation folder and your AppData folder for Baldur’s Gate 3 to ensure there are no remaining folders for mods.

    If you use a mod installer like the Vortex Mod Manager from Nexus, make sure you also uninstall the mods in the mod manager to ensure they aren’t automatically re-downloaded.

    For mod-related troubleshooting, check out our Mod Information support page.
      4. Install BG3 on an SSD A solid-state drive (SSD) is highly recommended to play Baldur’s Gate 3, and we recommend you install the game on yours. It’s good practice to make sure you have more space on the drive than is needed.
      5. Update your graphics card drivers Updating to the latest graphics card drivers will help with compatibility and performance of the game.
      6. Refer to the launch FAQ If you have any problems launching BG3 when we switch to the final version of the game on August 3rd, we’ll have an FAQ accessible from the launcher that will detail some of what we believe may be the most likely problems, with solutions.

    Outside of the above, our support teams will be happy to assist you with any problems, but we sincerely hope you have fun with the final version of Baldur’s Gate 3!
    SeedTheNet
    By Unit 42
    July 12, 2023 at 3:00 AM
    Executive Summary
    Russia’s Foreign Intelligence Service hackers, which we call Cloaked Ursa (aka APT29, UAC-0029, Midnight Blizzard/Nobelium, Cozy Bear) are well known for targeting diplomatic missions globally. Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following:
    Notes verbale (semiformal government-to-government diplomatic communications) Embassies’ operating status updates Schedules for diplomats Invitations to embassy events These types of lures are generally sent to individuals who handle this type of embassy correspondence as part of their daily jobs. They are meant to entice targets to open the files on behalf of the organization they work for.
    Recently, Unit 42 researchers observed instances of Cloaked Ursa using lures focusing on the diplomats themselves more than the countries they represent. We have identified Cloaked Ursa targeting diplomatic missions within Ukraine by leveraging something that all recently placed diplomats need – a vehicle.
    We observed Cloaked Ursa targeting at least 22 of over 80 foreign missions located in Kyiv. While we don’t have details on their infection success rate, this is a truly astonishing number for a clandestine operation conducted by an advanced persistent threat (APT) that the United States and the United Kingdom publicly attribute to Russia’s Foreign Intelligence Service (SVR).
    Our assessment that Cloaked Ursa is responsible for these lures is based on the following:
    Similarities to other known Cloaked Ursa campaigns and targets Use of known Cloaked Ursa TTPs Code overlap with other known Cloaked Ursa malware These unconventional lures are designed to entice the recipient to open an attachment based on their own needs and wants instead of as part of their routine duties.
    The lures themselves are broadly applicable across the diplomatic community and thus are able to be sent and forwarded to a greater number of targets. They’re also more likely to be forwarded to others inside of an organization as well as within the diplomatic community.
    Overall, these factors increase the odds of a successful compromise within targeted organizations. While not likely to fully supplant diplomatic operations-themed lures, these lures focusing on individuals do provide Cloaked Ursa with new opportunities and a broader range of susceptible potential espionage targets.
    Palo Alto Networks customers receive protections against the types of threats discussed in this article by products including:
    Cortex XDR WildFire Cloud-Delivered Security Services for the Next-Generation Firewall, including Advanced URL Filtering and DNS Security If you believe you have been compromised, the Unit 42 Incident Response team can provide a personalized response.
    Related Unit 42 Topics Russia, Ukraine, phishing Cloaked Ursa APT Group AKAs APT29, UAC-0029, Midnight Blizzard/Nobelium, Cozy Bear Table of Contents
    BMW for Sale
    Turkish Diplomats: Humanitarian Assistance for Earthquake
    Conclusion
    Indicators of Compromise
    Samples
    URLs
    Known Email Senders
    BMW Payload: Dropbox and MS Graph API Tokens and Secrets
    Additional Resources
    Appendix
    Technical Analysis of BMW Campaign
    Technical Analysis of Turkey Campaign
    BMW for Sale
    One of the most recent of these novel campaigns that Unit 42 researchers observed appeared to use the legitimate sale of a BMW to target diplomats in Kyiv, Ukraine, as its jumping off point.
    The campaign began with an innocuous and legitimate event. In mid-April 2023, a diplomat within the Polish Ministry of Foreign Affairs emailed his legitimate flyer to various embassies advertising the sale of a used BMW 5-series sedan located in Kyiv. The file was titled BMW 5 for sale in Kyiv - 2023.docx.
    The nature of service for professional diplomats is often one that involves a rotating lifestyle of short- to mid-term assignments at postings around the world. Ukraine presents newly assigned diplomats with unique challenges, being in an area of armed conflict between Russia and Ukraine.
    How do you ship personal goods, procure safe accommodations and services, and arrange for reliable personal transportation while in a new country? The sale of a reliable car from a trusted diplomat could be a boon for a recent arrival, which Cloaked Ursa viewed as an opportunity.
    We assess that Cloaked Ursa likely first collected and observed this legitimate advertising flyer via one of the email’s recipients’ mail servers being compromised, or by some other intelligence operation. Upon seeing its value as a generic yet broadly appealing phishing lure, they repurposed it.
    Two weeks later, on May 4, 2023, Cloaked Ursa emailed their illegitimate version of this flyer to multiple diplomatic missions throughout Kyiv. These illegitimate flyers (shown in Figure 1) use benign Microsoft Word documents of the same name as that sent by the Polish diplomat.
    Figure 1. Example lure used in BMW campaign (SHA256 311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517). The key difference with these illegitimate versions is that if a victim clicks on a link offering “more high quality photos,” a URL shortener service (either t[.]ly or tinyurl[.]com) will redirect them to a legitimate site. This site would have been coopted by Cloaked Ursa, resulting in the download of a malicious payload.
    When a victim attempts to view any of the “high quality photos” (shown in Figure 2) in the download, the malware executes silently in the background while the selected image displays on the victim’s screen.
    Figure 2. Windows shortcut files masquerading as image files. Figure 3 illustrates the full execution flow.
    Figure 3. Execution flow. These pictures are actually Windows shortcut files masquerading as PNG image files.
    We’ve observed two versions of these illegitimate flyers. The only difference between the two is the shortened URL used in each case. The URLs ultimately redirect the victim to the same coopted site (hxxps://resetlocations[.]com/bmw.htm).
    At the time of this writing, one of the flyer versions (SHA256: 311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517) is detected as malicious by multiple vendors according to VirusTotal, while the other version (SHA256: 8902bd7d085397745e05883f05c08de87623cc15fe630b36ad3d208f01ef0596) is not detected. For a full overview of the malware, please refer to the Appendix.
    Overall, we observed Cloaked Ursa targeting at least 22 of over 80 foreign missions located in Kyiv in this campaign, as shown in Table 1. The actual number targeted is likely higher. This is staggering in scope for what generally are narrowly scoped and clandestine APT operations.
    Known Embassies in Kyiv Targeted by Cloaked Ursa in BMW Campaign
    Albania Argentina Canada Cyprus Denmark Estonia Greece Iraq Ireland Kuwait Kyrgyzstan Latvia Libya Netherlands Norway Slovakia Spain Sudan Turkey Turkmenistan United States Uzbekistan Table 1. Known embassy targets of BMW campaign.
    For the activity we observed, Cloaked Ursa used publicly available embassy email addresses for approximately 80% of the targeted victims. The remaining 20% consisted of unpublished email addresses not found on the surface web.
    This indicates that attackers likely also used other collected intelligence to generate their victim target list, to ensure they were able to maximize their access to desired networks. The majority of the targeted organizations in this campaign were embassies. However, we also observed Cloaked Ursa targeting both Turkish Ministry of Trade representatives in Ukraine (via their ticaret[.]gov[.]tr work emails) and their embassy in the BMW campaign.
    While there were a handful of emails sent directly to individuals’ work addresses within the campaign, the majority of the targeted emails consisted of general inboxes for the embassy, such as country.embassy@mfa[.]gov[.]xx. Despite the thought and detail put into targets for this campaign, at least two of the email addresses contained errors and never reached the intended targets. Overall, the use of these group inboxes likely increased the odds of the emails being reviewed and passed on to individuals within the embassies looking for transportation.
    With a few of the embassies we observed being targeted, this was done via group emails hosted on free online webmail services. While these services offer some protection, they also outsource a portion of the security provided to targeted organizations and their employees to external entities. The use of free online webmail could have the unintended consequence of increasing a diplomatic organization’s difficulty in observing and understanding the totality of threats targeting it while also increasing its attack surface.
    Turkish Diplomats: Humanitarian Assistance for Earthquake
    Another of the novel Cloaked Ursa campaigns we observed likely targeted the Turkish Ministry of Foreign Affairs (MFA) earlier in 2023, within a February to March timeframe. While we were unable to obtain the malicious email lure associated with this campaign, we know that it related to a document that purported to be Turkish MFA guidance on humanitarian assistance pertaining to the Feb. 21, 2023, earthquake in Turkey. The earthquake in late February further ravaged a region already devastated by a massive earthquake two weeks earlier, which ultimately killed more than 50,000 and displaced more than 5.9 million people.
    We were able to determine this second campaign targeting the MFA based on a PDF (shown in Figure 4) that was contained in a downloaded payload (SHA256: 0dd55a234be8e3e07b0eb19f47abe594295889564ce6a9f6e8cc4d3997018839 – for a full overview of the malware, please refer to the Appendix).
    Not one to let a disaster and the highly sympathetic charge it generates go to waste, Cloaked Ursa likely saw a lure providing MFA guidance on humanitarian support for this tragedy as a way to ensure a high level of interest from their targets – these recipients would feel a patriotic obligation and would understand the MFA’s expectations to support their nation and its victims. In addition, given the timely and momentous nature of the lure, it was almost certainly forwarded by concerned employees to others in their organization who would be interested in the guidance.
    Figure 4. Excerpt from Turkish MFA memorandum. Conclusion
    Diplomatic missions will always be a high-value espionage target. Sixteen months into the Russian invasion of Ukraine, intelligence surrounding Ukraine and allied diplomatic efforts are almost certainly a high priority for the Russian government.
    As the above campaigns show, diplomats should appreciate that APTs continually modify their approaches – including through spear phishing – to enhance their effectiveness. They will seize every opportunity to entice victims into compromise. Ukraine and its allies need to remain extra vigilant to the threat of cyber espionage, to ensure the security and confidentiality of their information.
    Recommendations
    Train newly assigned diplomats and employees to a diplomatic mission on the cybersecurity threats for the region prior to their arrival. This training should include the specific tactics, techniques and procedures (TTPs) used by APTs in that region. Always take extra precautions to observe URL redirection when using URL-shortening services. Always be cautious of downloads, even from seemingly innocuous or legitimate sites. APTs routinely co-opt legitimate sites or services for malicious purposes. Always take extra precautions with attachments that require a web browser to open. These types of attachments include the following file extensions: .hta, .htm, .html, .mht, .mhtml, .svg, .xht and .xhtml. Always verify file extension types to ensure you are opening the type of file you intend to. If the file extension does not match, or if it is attempting to obfuscate its nature, it is very likely malicious. When received as an attachment to an email, or when downloaded from a link within an email, always look for hidden files and directories in archives such as those with the extensions .zip, .rar, .7z, .tar and .iso. The presence of hidden files or directories could indicate the archive is malicious. Consider disabling JavaScript as a rule. Palo Alto Networks customers receive protections against the types of threats discussed in this article by products including:
    Cortex XDR WildFire Cloud-Delivered Security Services for the Next-Generation Firewall, including Advanced URL Filtering and DNS Security. If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
    North America Toll-Free: 866.486.4842 (866.4.UNIT42) EMEA: +31.20.299.3130 APAC: +65.6983.8730 Japan: +81.50.1790.0200 Palo Alto Networks disclosed this activity to Microsoft and Dropbox.
    Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
    Indicators of Compromise
    Samples
    311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517 8902bd7d085397745e05883f05c08de87623cc15fe630b36ad3d208f01ef0596 47e8f705febc94c832307dbf3e6d9c65164099230f4d438f7fe4851d701b580b 79a1402bc77aa2702dc5dca660ca0d1bf08a2923e0a1018da70e7d7c31d9417f 38f8b8036ed2a0b5abb8fbf264ee6fd2b82dcd917f60d9f1d8f18d07c26b1534 706112ab72c5d770d89736012d48a78e1f7c643977874396c30908fa36f2fed7 c62199ef9c2736d15255f5deaa663158a7bb3615ba9262eb67e3f4adada14111 cd4956e4c1a3f7c8c008c4658bb9eba7169aa874c55c12fc748b0ccfe0f4a59a 0dd55a234be8e3e07b0eb19f47abe594295889564ce6a9f6e8cc4d3997018839 60d96d8d3a09f822ded0a3c84194a5d88ed62a979cbb6378545b45b04353bb37 03959c22265d0b85f6c94ee15ad878bb4f2956a2b0047733edbd8fdc86defc48 URLs
    hxxp://tinyurl[.]com/ysvxa66c hxxp://t[.]ly/1IFg hxxps://resetlocations[.]com/bmw.htm hxxps://tinyurl[.]com/mrxcjsbs hxxps://simplesalsamix[.]com/e-yazi.html hxxps://www.willyminiatures[.]com/e-yazi.html Known Email Senders
    dawid.tomaszewski@resetlocations[.]com ops.rejon4@kazmierz[.]pl BMW Payload: Dropbox and MS Graph API Tokens and Secrets
    Teams_test 840aae0d-cd89-4869-bce1-94222c33035e M.R3_BL2.-CYZcTMwdTTD5X9lMxE*wscQcrZ56RUoklIvNkUw5pW1kJ9tfqvv1vRT8VgOb8uXtJTPB3E2CKV!pmm4V6DF8TRvo60QFCxMnUAnuv3jJ78TqHMdxPHONUDeI!B4DbLyg6ZjPZzghLXtmTZqzxOfpCUInOnhFJGoiL6kob7hKVhxm2dJQ9whK9zORxKg0FAnmd0tAR9lKJJaIUkVLcQ939EG2EKG9xsVVWwL04kX0092j7r2jo0rQR9Nqe4DuG0cRAMoODktAbTiuIsehkO5bM0ZuHsDuRr6mMoJrpwbqP0nt5PqJ*E7TS2scdYYOxnQ0mQ$$ iofd62cx8jy9vyp sx6qt5iw2t9y7r8 GCy8UdFrumsAAAAAAAAAASYLcT6_Rjx8PYFAvKH3Q3fT27eYzNsXJYCz7320YBIM Turkey MFA Payload: Dropbox and MS Graph API Tokens and Secrets
    e0f94357-98c9-475d-94eb-27b6c74a6429 mytestworkapp1 M.R3_BL2.-CUanxFBYCxVzJ6hwSYPoLZ49NQ3X*y5rETt!aN*487MvafwQFn7kevSiXUwpGnHaquakM8vH6iESLDlXP38hmqQn98rRLvOzWwlKmD!8Xb5yEewCaa13S4Y1VyTIswo54Ez5ihRdUYCkYxkidMsZBn5!4icBZKpwC9hDW6G8OLcj8c2ZDtl8kUJ5PaX5TTDgXRzYdLPcqJFiNREjNg0*L569xMG1D14JpmjuO3HLBN2OclUv6c9FeuRwe5EuHA9aKhdqWkdjxWbnGGMgn9SnyDF7VSVCYT0*KBPNE!WYm*CXbE4jNTqJnkyPzvDJtj0OoA$$ 3a1n71ujslwse9v 75vedbskd505jyk Hd0j7avNBxsAAAAAAAAAARq2fs5Ei8Z0-ahPPeB1McEek6NMzkGRmYHuxjsCZTfE Additional Resources
    Espionage Campaign Linked to Russian Intelligence Services – Cybersecurity Emergency Response Team Poland (CERT.PL)
    Cloaked Ursa / APT29 Phishing Tweet (March 10, 2023) – Palo Alto Networks, Unit 42 IOCs: Cloaked Ursa / APT29 Phishing Tweet (March 10, 2023) – Palo Alto Networks, Unit 42 Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive – Palo Alto Networks, Unit 42 Appendix
    Technical Analysis of BMW Campaign
    The hyperlinks found within the malicious BMW 5 for sale in Kyiv - 2023.docx flyers (SHA256: 311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517 and (SHA256: 8902bd7d085397745e05883f05c08de87623cc15fe630b36ad3d208f01ef0596) lead to a site (hxxps://resetlocations[.]com/bmw.htm) that was offline in mid-June, but they originally retrieved a large HTA file. (SHA256: 47e8f705febc94c832307dbf3e6d9c65164099230f4d438f7fe4851d701b580b) This HTA file contains roughly 10 MB of Base64-encoded and XORed data, followed by JavaScript code.
    The JavaScript code would first make a request to the same domain on the URI kll.php, before decoding the embedded data mentioned above and triggering the browser to download it using msSaveOrOpenBlob, or a mix of createElement and createObjectURL should msSaveOrOpenBlob fail. The downloaded file is assigned the name bmw.iso (SHA256: 79a1402bc77aa2702dc5dca660ca0d1bf08a2923e0a1018da70e7d7c31d9417f), matching the theme seen thus far.
    Once downloaded, execution is reliant on the user clicking the downloaded file, which mounts the disk image to the system and opens up Windows File Explorer. This reveals nine total files masquerading as images, which are instead LNK shortcut files (shown in the execution flow diagram in Figure 3).
    A hidden folder named $Recycle.Bin is created alongside the LNK files. This folder contains the real PNG images as well as three DLLs, an encrypted payload and a legitimate copy of Microsoft Word named windoc.exe.
    If one of the LNK files is clicked, the following command line is executed. Note that the image name is changed depending on the LNK file clicked:

    While windoc.exe is not malicious, it does attempt to load several DLLs on runtime and falls victim to DLL hijacking. As a result, it will load two of the three DLLs within its current directory, namely APPVISVSUBSYSTEMS64.dll (SHA256: 38f8b8036ed2a0b5abb8fbf264ee6fd2b82dcd917f60d9f1d8f18d07c26b1534) and MSVCP140.dll. (SHA256: 706112ab72c5d770d89736012d48a78e1f7c643977874396c30908fa36f2fed7). The third DLL (Mso20Win32Client.dll) does not appear to be essential to the malware’s functioning and is added so that windoc.exe runs correctly, similarly to the DLL described below.
    MSVCP140 is not digitally signed, but does not contain any malicious functionality. It appears to only contain a select few exports from a legitimate copy of MSVCP140. It’s likely that this was included to execute windoc.exe on systems that did not have Microsoft Visual C++ Redistributables – at least enough so that it would load APPVISVSUBSYSTEMS64.
    APPVISVSUBSYSTEMS64, on the other hand, is a fairly obfuscated DLL. It leverages a large number of unnecessary assembly instructions, including the following, likely hindering decompilation efforts and slowing down analysis:
    Psllq Emms Pcmpeqd Punpckhbw APPVISVSUBSYSTEMS64 contains a number of anti-analysis techniques, including the following:
    Making sure its process name is set to windoc.exe Checking that the system has more than one processor Leveraging NtQueryObject to search for any existing Debug Objects, to check for the existence of a debugger If these checks are all passed, the sample will proceed to open the encrypted payload file found within the ISO file, in this case named ojg2.px. (SHA256: c62199ef9c2736d15255f5deaa663158a7bb3615ba9262eb67e3f4adada14111). Once read into memory, it will decrypt the file using an XOR operation, which results in a secondary shellcode layer.
    The shellcode is then injected into the first two active Windows processes that it can inject into, such as taskhost.exe or sihost.exe, using a technique that is somewhat similar to one previously used by Cloaked Ursa (as recently described by the Military Counterintelligence Service and CERT.PL).
    First, the shellcode is mapped and copied into the remote process using NtMapViewOfSection before a new remote thread is created in a suspended state using NtCreateThreadEx. The interesting aspect of this injection technique is that instead of the created thread pointing to the shellcode entry point or any Windows API, it is given a start address of a function within the APPVISVSUBSYSTEMS64 process. It’s possible that the authors did this to evade monitoring tools from identifying a newly created thread pointing to malicious shellcode.
    Before the thread is resumed with NtResumeThread, APPVISVSUBSYSTEMS64 will use NtGetContextThread and NtSetContextThread to modify the RCX register (which will contain the thread entry) to point to the entry point of the shellcode.
    Figure 5. Creation of thread pointing to a local function (resolves API) and modification of thread context. This results in the resumed thread calling RtlUserThreadStart, which will move the value in the RCX register to R9 before calling it, thus triggering the shellcode.
    The goal of the shellcode is to extract the final executable file payload in memory and transfer execution to it. This payload is the final sample in the infection chain and is responsible for handling communication to and from the command and control (C2) server.
    The final payload contains a large array of obfuscation techniques, including string encryption and junk functions, as well as modifying exception handling structures to place “try and except” clauses part way through assembly instructions. This effectively breaks the instructions when disassembling, as many disassemblers will take these structure values into consideration when parsing a binary file. This results in a mangled control flow graph and failed decompilation due to the modifications in the exception handling structures.
    For communication, the payload uses both the Microsoft Graph and Dropbox API. Cloaked Ursa has previously leveraged Dropbox as a C2 server. However, Cloaked Ursa’s use of Microsoft Graph API to facilitate C2 communications appears to be a relatively new addition to their toolkit.
    In addition to the string encrypted tokens and API keys required to communicate with these platforms, there is another string that stands out (shown in Figure 6), used when communicating with the Microsoft Graph API: Teams_test.
    Figure 6. String decryption functions used to decrypt core Dropbox and Microsoft Graph API information. Given that the Graph API allows for interacting with a number of different Microsoft 365 Services including Microsoft Teams, it’s possible that this was an initial test for communicating via Teams or the Graph API.
    If communication fails via the Graph API several times, communication via Dropbox is attempted. Several decrypted strings in the binary provide insight into the use of Dropbox for communication:

    Previously, Cloaked Ursa-linked payloads that communicate with Dropbox had wrapped communications in a packet that resembled an MP3 file. The MP3 magic bytes (ID3\x04\x00\x00\x00\x00\x00#TSSE) were prepended to the encrypted data and uploaded to Dropbox as an MP3 file.
    In this sample, it appears that they have opted to use BMP files. The threat actor-owned C2 will upload commands to Dropbox that are wrapped in the BMP format. These commands are retrieved by the payload and then parsed, decrypted and executed. Any data that the payload uploads to Dropbox will also be encrypted and wrapped in the BMP format.
    In terms of handled commands, the payload accepts five possible requests from the C2 server, as described in the table below.
    Command Value Command Description 0 Inject shellcode into explorer.exe or smartscreen.exe 1 Execute specified command with CMD.exe 2 Read from local file 3 Write data to local file 4 Spawn and inject code into WerFault.exe Table 2. Commands handled by sample.
    Based on the lack of additional commands, it’s likely this is merely a loader for a further sample. As of mid-June, the Dropbox and Graph API credentials are no longer valid, preventing access to any information that was uploaded to either platform.
    Technical Analysis of Turkey Campaign
    We identified an additional sample with similar characteristics to other attributed Cloaked Ursa campaigns, which we believe to have been targeting the Turkish Ministry of Foreign Affairs. We did not observe the lure or lures used in this campaign, but we are able to identify the attack chain after the original lure. We assess that the original lure enticed the target to click on hxxps:// simplesalsamix[.]com/e-yazi.html. The URL is no longer active, but it originally retrieved an HTTP smuggling file named e-yazi.html (SHA256: cd4956e4c1a3f7c8c008c4658bb9eba7169aa874c55c12fc748b0ccfe0f4a59a).
    The downloaded file is assigned the name e-yazi.zip. (SHA256: 0dd55a234be8e3e07b0eb19f47abe594295889564ce6a9f6e8cc4d3997018839). This sample contains five files.
    Once again, a legitimate WinWord.exe binary was found within the archive, named e-yazi.docx.exe. However, whitespace was added between the .docx and .exe, resulting in the file appearing as a document file.
    Alongside the WinWord.exe, a file named APPVISVSUBSYSTEMS64.dll (SHA256:
    60d96d8d3a09f822ded0a3c84194a5d88ed62a979cbb6378545b45b04353bb37
    ) was present once again, as well as a file named okxi4t.z (SHA256: 03959c22265d0b85f6c94ee15ad878bb4f2956a2b0047733edbd8fdc86defc48). This file is similar to the previously mentioned ojg2.px in that it contains encrypted shellcode.
    On execution of WinWord.exe, APPVISVSUBSYSTEMS64.dll is sideloaded and (assuming the standard anti-analysis checks were passed) it would open and read the data from okxi4t.z before decrypting it and injecting it into the first running process it can.
    The injected shellcode shares a number of similarities with code seen in the BMW-related sample, such as the following:
    General execution flow Functionality to unhook numerous Windows API calls Its obfuscation techniques We were also able to confirm that the shellcode contained overlaps with the fourth-stage shellcode dropper loader, shown in Figure 7, as described in the Cloaked Ursa QUARTERRIG malware report by Military Counterintelligence Service and CERT.PL. The same algorithm and payload structure can be seen within the injected shellcode, as shown in Figure 8, aside from minor differences such as the values of the magic_const and hashed_str.
    Figure 7. CERT.PL shellcode structure image. (Source: Figure 10 of the QUARTERRIG Malware Analysis Report, 2023) Figure 8. Extracted shellcode blob. The final payload within this infection chain is somewhat similar to the BMW-linked final payload, in that it leverages both Microsoft Graph API and the Dropbox API for C2 communication. Instead of Teams_test being the project name, it’s set to mytestworkapp1. The hard-coded API tokens are also different from the initially analyzed sample.
    Similar obfuscation was employed within this sample, including string encryption and control flow obfuscation via abusing the exception handling structures. However, there are no junk functions added to the sample, resulting in a much smaller file size of 498 KB.
    It’s worth noting that the string encryption algorithms appear to line up with those seen within the Cloaked Ursa SNOWYAMBER and QUARTERRIG malware reports by the Military Counterintelligence Service and CERT.PL. Many of the string decryption functions leverage inline assembly keys (as seen in Figure 9), while the rest retrieve keys from the .rdata directory.
    Figure 9. First (left) and second (right) string decryption function types. It’s clear that Cloaked Ursa remains dedicated to identifying legitimate platforms to host their C2 servers, based on their usage of the Microsoft Graph API within these two samples, as well as past reports describing C2 communication via Notion and Google Drive.
    Source : https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
    SeedTheNet
    Updates this Month
    This release consists of the following 130 CVEs and 2 Advisories:
    Tag CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations? Windows Certificates ADV230001     Exploitation Detected No No No Windows EFI Partition ADV230002     Exploitation Less Likely No No No Windows Netlogon CVE-2023-21526 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C Exploitation More Likely Yes No No Microsoft Graphics Component CVE-2023-21756 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Admin Center CVE-2023-29347 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Cluster Server CVE-2023-32033 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Procedure Call CVE-2023-32034 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Remote Procedure Call CVE-2023-32035 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Layer 2 Tunneling Protocol CVE-2023-32037 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows ODBC Driver CVE-2023-32038 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No Yes Microsoft Printer Drivers CVE-2023-32039 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Printer Drivers CVE-2023-32040 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Update Orchestrator Service CVE-2023-32041 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows OLE CVE-2023-32042 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Desktop CVE-2023-32043 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Message Queuing CVE-2023-32044 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Message Queuing CVE-2023-32045 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows MSHTML Platform CVE-2023-32046 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Detected Yes No No Paint 3D CVE-2023-32047 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Unlikely Yes No No Windows SmartScreen CVE-2023-32049 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C Exploitation Detected Yes No No Windows Installer CVE-2023-32050 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Windows Codecs Library CVE-2023-32051 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Power Apps CVE-2023-32052 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Installer CVE-2023-32053 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Volume Shadow Copy CVE-2023-32054 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Active Template Library CVE-2023-32055 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Server Update Service CVE-2023-32056 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Message Queuing CVE-2023-32057 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No Yes Windows Failover Cluster CVE-2023-32083 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows HTTP.sys CVE-2023-32084 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Microsoft Printer Drivers CVE-2023-32085 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No .NET and Visual Studio CVE-2023-33127 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office SharePoint CVE-2023-33134 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation More Likely Yes No No Microsoft Office CVE-2023-33148 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Graphics Component CVE-2023-33149 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office CVE-2023-33150 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office Outlook CVE-2023-33151 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office Access CVE-2023-33152 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office Outlook CVE-2023-33153 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Partition Management Driver CVE-2023-33154 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Cloud Files Mini Filter Driver CVE-2023-33155 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Defender CVE-2023-33156 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office SharePoint CVE-2023-33157 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation More Likely Yes No No Microsoft Office Excel CVE-2023-33158 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office SharePoint CVE-2023-33159 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office SharePoint CVE-2023-33160 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office Excel CVE-2023-33161 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office Excel CVE-2023-33162 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Network Load Balancing CVE-2023-33163 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Procedure Call CVE-2023-33164 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Microsoft Office SharePoint CVE-2023-33165 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Procedure Call CVE-2023-33166 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Remote Procedure Call CVE-2023-33167 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Remote Procedure Call CVE-2023-33168 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Remote Procedure Call CVE-2023-33169 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No ASP.NET and .NET CVE-2023-33170 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Dynamics CVE-2023-33171 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Procedure Call CVE-2023-33172 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Remote Procedure Call CVE-2023-33173 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Cryptographic Services CVE-2023-33174 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Printer Drivers CVE-2023-35296 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows PGM CVE-2023-35297 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows HTTP.sys CVE-2023-35298 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Common Log File System Driver CVE-2023-35299 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Procedure Call CVE-2023-35300 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Printer Drivers CVE-2023-35302 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes Yes No Microsoft Windows Codecs Library CVE-2023-35303 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel CVE-2023-35304 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel CVE-2023-35305 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Printer Drivers CVE-2023-35306 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows MSHTML Platform CVE-2023-35308 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C Exploitation Less Likely Yes No No Windows Message Queuing CVE-2023-35309 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Role: DNS Server CVE-2023-35310 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Office Outlook CVE-2023-35311 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C Exploitation Detected Yes No No Windows VOLSNAP.SYS CVE-2023-35312 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation More Likely Yes No No Windows Online Certificate Status Protocol (OCSP) SnapIn CVE-2023-35313 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Procedure Call CVE-2023-35314 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Layer-2 Bridge Network Driver CVE-2023-35315 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Procedure Call CVE-2023-35316 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Server Update Service CVE-2023-35317 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Procedure Call CVE-2023-35318 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Remote Procedure Call CVE-2023-35319 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Connected User Experiences and Telemetry CVE-2023-35320 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Deployment Services CVE-2023-35321 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Deployment Services CVE-2023-35322 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Online Certificate Status Protocol (OCSP) SnapIn CVE-2023-35323 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Printer Drivers CVE-2023-35324 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Print Spooler Components CVE-2023-35325 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows CDP User Components CVE-2023-35326 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Transaction Manager CVE-2023-35328 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Authentication Methods CVE-2023-35329 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows SPNEGO Extended Negotiation CVE-2023-35330 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows Local Security Authority (LSA) CVE-2023-35331 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Desktop CVE-2023-35332 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Media-Wiki Extensions CVE-2023-35333 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Microsoft Dynamics CVE-2023-35335 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows MSHTML Platform CVE-2023-35336 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Win32K CVE-2023-35337 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Peer Name Resolution Protocol CVE-2023-35338 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows CryptoAPI CVE-2023-35339 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitation Less Likely No No No Windows CNG Key Isolation Service CVE-2023-35340 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Media CVE-2023-35341 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Image Acquisition CVE-2023-35342 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Geolocation Service CVE-2023-35343 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Role: DNS Server CVE-2023-35344 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Role: DNS Server CVE-2023-35345 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Role: DNS Server CVE-2023-35346 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows App Store CVE-2023-35347 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Azure Active Directory CVE-2023-35348 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Active Directory Certificate Services CVE-2023-35350 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Active Directory Certificate Services CVE-2023-35351 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Remote Desktop CVE-2023-35352 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C Exploitation More Likely Yes No No Windows Connected User Experiences and Telemetry CVE-2023-35353 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel CVE-2023-35356 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel CVE-2023-35357 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel CVE-2023-35358 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows NT OS Kernel CVE-2023-35360 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows NT OS Kernel CVE-2023-35361 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Clip Service CVE-2023-35362 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Kernel CVE-2023-35363 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows NT OS Kernel CVE-2023-35364 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Routing and Remote Access Service (RRAS) CVE-2023-35365 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No Yes Windows Routing and Remote Access Service (RRAS) CVE-2023-35366 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No Yes Windows Routing and Remote Access Service (RRAS) CVE-2023-35367 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No Yes Mono Authenticode CVE-2023-35373 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C Exploitation Less Likely Yes No No Paint 3D CVE-2023-35374 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Visual Studio Code CVE-2023-36867 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C Exploitation Less Likely Yes No No Service Fabric CVE-2023-36868 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Azure Active Directory CVE-2023-36871 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:F/RL:O/RC:C   Yes No No Microsoft Windows Codecs Library CVE-2023-36872 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitation Less Likely Yes No No Windows Error Reporting CVE-2023-36874 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitation Detected Yes No No Microsoft Office CVE-2023-36884 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C Exploitation Detected No No Yes
    SeedTheNet
    July 11, 2023—KB5028171 (OS Build 20348.1850)
    Windows Server 2022 Release Date:
    7/11/2023
    Version:
    OS Build 20348.1850
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page.     
    Note Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.     
    Improvements
    This security update includes quality improvements. When you install this KB:
    New! This update improves several simplified Chinese fonts and the Microsoft Pinyin Input Method Editor (IME). They now support GB18030-2022. Characters in the Standard Chinese Characters List (GB18030-2022 implementation level 2) are available in Microsoft Yahei (regular, light, and bold), Dengxian (optional font: regular, light, and bold), and Simsun. The Simsun Ext-B font (GB18030-2022 implementation level 3) now supports Unicode CJK Unified Ideographs Extensions E and F.
    New!  This update removes Simplified Chinese handwriting recognition from Windows Server 2022. This is because conformant handwriting recognition is not available for Windows Server. Updated media will have this change. To update existing images, use the DISM tool to remove the Simplified Chinese Handwriting capability.
    This update addresses an issue that affects console applications. They fail when you set the system locale to Japanese.
    This update addresses an issue that affects the Notepad combo box in Settings. It fails to show all the available options.
    This update addresses a race condition. It occurs when codepages load during early startup. This might cause a 0x7e stop error.
    This update addresses an issue that affects Microsoft Edge IE mode. The text on the status bar is not always visible.
    This update addresses an issue that affects the Microsoft HTML Application Host (HTA). This issue blocks code execution that uses Microsoft HTA. This occurs when you turn on Windows Defender Application Control (WDAC) User Mode Code Integrity (UMCI) enforced mode.
    The update addresses a random issue that affects svchost.exe. There is significant memory growth in a system. This occurs when svchost.exe contains the User Access Logging Service (UALSVC).
    This update addresses an issue that affects all the registry settings under the Policies paths. They might be deleted. This occurs when you do not rename the local temporary user policy file during Group Policy processing.
    This update addresses an issue that affects dot sourcing. It fails for files that contain a class definition in Windows PowerShell.
    This update addresses an issue that affects .msi files. A minor update is not installed. This occurs when you use the EnterpriseDesktopAppManagement configuration service provider (CSP) to distribute the .msi file.
    This update addresses an issue that affects msftconnecttext.net. It gets excessive HTTP traffic.
    This update addresses an issue that affects the Spooler service. It stops working. This issue occurs when you print using a certain workspace.
    The update addresses an intermittent issue that affects an audio stream. The issue disrupts the stream.
    This update addresses an issue that affects NCryptGetProperty(). When you call it with NCRYPT_KEY_TYPE_PROPERTY, the system returns 0x1 instead of 0x20. This occurs when the key is a machine key.
    This update addresses an issue that affects a tib.sys driver. It does not load. This occurs when HyperVisor-protected Code Integrity (HVCI) is enabled.
    This update addresses an issue that affects HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. You can now set and maintain the correct default permissions for this directory path. When the permissions are wrong, the Start menu, search, and Azure Active Directory (Azure AD) authentication fail.
    This update addresses an issue that affects Active Directory Users & Computers. It stops responding. This occurs when you use TaskPad view to enable or disable many objects at the same time.
    This update addresses an issue that affects File Explorer. It might stop responding indefinitely. This occurs after you try to view the effective access permissions for files in File Explorer.
    This update addresses an issue that affects Live Migration. It might fail in a stretch cluster deployment. This occurs because the Storage Replica fails to retry after it receives a retry error from the Cluster API.
    This update addresses an issue that affects cluster name object of failover clustering. You cannot repair it on Azure Virtual Machines.
    This update addresses an issue that affects Remote Server Administration Tools (RSAT). In the Standard edition, Network Controller Management Tools is missing from the RSAT dialog.
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
    For more information about security vulnerabilities, please refer to the Security Update Guide and the July 2023 Security Updates.
    Windows Server 2022 servicing stack update - 20348.1846
    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.
    Known issues in this update
    Symptom
    Workaround
     
     
    After installing this update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Only Windows Server 2022 VMs with Secure Boot enabled are affected by this issue. Affected versions of VMware ESXi are versions vSphere ESXi 7.0.x and below.
     
    Please see VMware’s documentation to mitigate this issue.
    Microsoft and VMware are investigating this issue and will provide more information when it is available.
     
     
    How to get this update
    Before installing this update
    Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
     
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Microsoft Server operating system-21H2
    Classification: Security Updates
     
    If you want to remove the LCU
    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
    File Information
    For a list of the files that are provided in this update, download the file information for cumulative update 5028171. 
    For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 20348.1846. 
     
    SeedTheNet
    July 11, 2023—KB5028169 (OS Build 14393.6085)
    Windows 10, version 1607, all editions Windows Server 2016, all editions Release Date:
    7/11/2023
    Version:
    OS Build 14393.6085
    11/19/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of  Windows 10, version 1607, see its update history page.  
    Highlights
    This update addresses an issue that affects Microsoft Edge IE mode. The text on the status bar is not always visible.
    This update addresses an issue that affects Microsoft Edge IE mode. Pop-up windows open in the background instead of in the foreground.
    The update addresses an issue that affects a site that is in Microsoft Edge IE mode. The site does not transition out of IE mode when it is expected.
    Improvements
    This security update includes quality improvements. When you install this KB: 
    New! This update improves several simplified Chinese fonts and the Microsoft Pinyin Input Method Editor (IME). They now support GB18030-2022. Characters in the Standard Chinese Characters List (GB18030-2022 implementation level 2) are available in Microsoft Yahei (regular, light, and bold), Dengxian (optional font: regular, light, and bold), and Simsun. The Simsun Ext-B font (GB18030-2022 implementation level 3) now supports Unicode CJK Unified Ideographs Extensions E and F.
    This update affects the Desktop Window Manager (DWM). It improves its reliability.
    This update addresses an issue that affects all the registry settings under the Policies paths. They might be deleted. This occurs when you do not rename the local temporary user policy file during Group Policy processing.
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.  
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the July 2023 Security Updates.
    Known issues in this update
    Microsoft is not currently aware of any issues with this update.
    How to get this update
    Before installing this update
    Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    If you are using Windows Update, the latest SSU (KB5023788) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog. 
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
     
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5028169.
     
    SeedTheNet
    July 11, 2023—KB5028168 (OS Build 17763.4645)
    Win 10 Ent LTSC v2019 Win 10 IoT Ent LTSC v2019 Windows 10 IoT Core 2019 LTSC Windows Server 2019 Less Release Date:
    7/11/2023
    Version:
    OS Build 17763.4645
    11/17/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1809, see its update history page. 
    Highlights 
    The update addresses an issue that affects a site that is in Microsoft Edge IE mode. The site does not transition out of IE mode when it is expected. 
    This update addresses an issue that affects Microsoft Edge IE mode. The text on the status bar is not always visible.
    The update addresses an intermittent issue that affects an audio stream. The issue disrupts the stream.
    Improvements
    This security update includes improvements. When you install this KB:
    New! This update improves several simplified Chinese fonts and the Microsoft Pinyin Input Method Editor (IME). They now support GB18030-2022. Characters in the Standard Chinese Characters List (GB18030-2022 implementation level 2) are available in Microsoft Yahei (regular, light, and bold), Dengxian (optional font: regular, light, and bold), and Simsun. The Simsun Ext-B font (GB18030-2022 implementation level 3) now supports Unicode CJK Unified Ideographs Extensions E and F.
    New! This update adds many new features and improvements to Microsoft Defender for Endpoint. For more information, see Microsoft Defender for Endpoint.
    This update adds the ability to share cookies between Microsoft Edge IE mode and Microsoft Edge. To learn more, see Cookie sharing between Microsoft Edge and Internet Explorer.
    This update addresses an issue that affects dot sourcing. It fails for files that contain a class definition in Windows PowerShell.
    This update addresses an issue that affects all the registry settings under the Policies paths. They might be deleted. This occurs when you do not rename the local temporary user policy file during Group Policy processing.
    This update affects the Desktop Window Manager (DWM). It improves its reliability.
    The update addresses a memory leak in MSCTF.dll. The leak occurs when focus is changed in edit controls.
    This update addresses an issue that affects NCryptGetProperty(). When you call it with NCRYPT_KEY_TYPE_PROPERTY, the system returns 0x1 instead of 0x20. This occurs when the key is a machine key.
    The update addresses a random issue that affects svchost.exe. There is significant memory growth in a system. This occurs when svchost.exe contains the User Access Logging Service (UALSVC).
    The update addresses an issue that affects win32kfull.sys. It dereferences an already freed queue entry. This causes a stop error.
    This update addresses an issue that affects a tib.sys driver. It does not load. This occurs when HyperVisor-protected Code Integrity (HVCI) is enabled.
    This update addresses an issue that affects Active Directory Users & Computers. It stops responding. This occurs when you use TaskPad view to enable or disable many objects at the same time.
    This update addresses an issue that affects MySQL commands. The commands fail on Windows Xenon containers.
    This update addresses an issue that affects cluster name object of failover clustering. You cannot repair it on Azure Virtual Machines.
    This update addresses a known issue that affects kiosk device profiles. If you have enabled automatic logon, it might not work. After Autopilot completes provisioning, these devices stay on the credential screen. This issue occurs after you install updates dated January 10, 2023, and later.
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the July 2023 Security Updates.
    Windows 10 servicing stack update - 17763.4640
    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. 
     
    Symptom
    Workaround
    After installing KB5001342 or later, the Cluster Service might fail to start because a Cluster Network Driver is not found.
    This issue occurs because of an update to the PnP class drivers used by this service.  After about 20 minutes, you should be able to restart your device and not encounter this issue.
    For more information about the specific errors, cause, and workaround for this issue, please see KB5003571.
    How to get this update
    Before installing this update
    Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    Prerequisite:
    You must install the August 10, 2021 SSU (KB5005112) before installing the LCU. 
     
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
    If you want to remove the LCU
    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5028168.
    For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 17763.4640. 
    SeedTheNet
    This post is also available in: 日本語 (Japanese)
    Executive Summary
    Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
    CVE/Product Description CVE-2019-12725 Zeroshell Remote Command Execution Vulnerability CVE-2019-17621 D-Link DIR-859 Remote Command Injection Vulnerability CVE-2019-20500 D-Link DWL-2600AP Remote Command Execution Vulnerability CVE-2021-25296 Nagios XI Remote Command Injection Vulnerability CVE-2021-46422 Telesquare SDT-CW3B1 Router Command Injection Vulnerability CVE-2022-27002 Arris TR3300 Remote Command Injection Vulnerability CVE-2022-29303 SolarView Compact Command Injection Vulnerability CVE-2022-30023 Tenda HG9 Router Command Injection Vulnerability CVE-2022-30525 Zyxel Command Injection Vulnerability CVE-2022-31499 Nortek Linear eMerge Command Injection Vulnerability CVE-2022-37061 FLIR AX8 Unauthenticated OS Command Injection Vulnerability CVE-2022-40005 Intelbras WiFiber 120 AC inMesh Command Injection Vulnerability CVE-2022-45699 APsystems ECU-R Remote Command Execution Vulnerability CVE-2023-1389 TP-Link Archer Router Command Injection Vulnerability CVE-2023-25280 D-link DIR820LA1_FW105B03 Command injection vulnerability CVE-2023-27240 Tenda AX3 Command Injection Vulnerability CCTV/DVR CCTV/DVR Remote Code Execution EnGenius EnShare EnGenius EnShare Remote Code Execution Vulnerability MVPower DVR MVPower DVR Shell Unauthenticated Command Execution Vulnerability Netgear DGN1000 Netgear DGN1000 Remote Code Execution Vulnerability Vacron NVR Vacron NVR Remote Code Execution Vulnerability MediaTek WiMAX MediaTek WiMAX Remote Code Execution The threat actors have the ability to gain complete control over the compromised devices, integrating those devices into the botnet. These devices are then used to execute additional attacks, including distributed denial-of-service (DDoS) attacks.
    Palo Alto Networks Next-Generation Firewall customers receive protection through Cloud-Delivered Security Services such as Internet of Things (IoT) Security, Advanced Threat Prevention, WildFire and Advanced URL Filtering, which can help detect and block the exploit traffic and malware.
    Related Unit 42 Topics IoT, Mirai, botnet Table of Contents
    Campaign Analysis
    Malware Analysis
    Conclusion
    Indicators of Compromise
    Shell Script Downloader Samples
    Mirai Samples
    Infrastructure
    Additional Resources
    Appendix
    Campaign Analysis
    On March 14, 2023, Unit 42 researchers observed some remote command execution exploit traffic from our internal threat-hunting system, originating from 185.44.81[.]114. The threat actor tried to download a shell script downloader as a file named y from hxxp://zvub[.]us/.
    If executed, the shell script downloader would download and execute the following bot clients to accommodate different Linux architectures:
    hxxp://185.225.74[.]251/armv4l hxxp://185.225.74[.]251/armv5l hxxp://185.225.74[.]251/armv6l hxxp://185.225.74[.]251/armv7l hxxp://185.225.74[.]251/mips hxxp://185.225.74[.]251/mipsel hxxp://185.225.74[.]251/sh4 hxxp://185.225.74[.]251/x86_64 hxxp://185.225.74[.]251/i686 hxxp://185.225.74[.]251/i586 hxxp://185.225.74[.]251/arc hxxp://185.225.74[.]251/m68k hxxp://185.225.74[.]251/sparc After executing the bot client, the shell script downloader will delete the client executable file to cover its tracks.
    Unit 42 researchers conducted an analysis of the malware host domain and found out there are two IP addresses corresponding to the domain zvub[.]us:
    185.44.81[.]114 (From Aug. 15, 2022, to March 24, 2023) 185.225.74[.]251 (After March 25, 2023) Upon conducting a thorough retrospective analysis, we noticed telnet brute force attempts from 185.44.81[.]114 since Oct. 6, 2022, and attempts to exploit multiple vulnerabilities since March 14, 2023.
    Unit 42 researchers also noticed another campaign from source IP 193.32.162[.]189 since April 11, 2023, that delivers the same shell downloader from zvub[.]us, as shown in Figure 1. Based on our analysis, we believe that the same threat actor operated these two campaigns for the following reasons:
    The two campaigns share the same infrastructure. The botnet samples are almost identical. Figure 1. Vulnerability exploit attempts.
    Figure 2 is a diagram illustrating the campaign overview.
    Figure 2. Campaign overview diagram.
    Malware Analysis
    Based on behavior and patterns Unit 42 researchers observed while analyzing the downloaded botnet client samples, we believe the sample is a variant of the Mirai botnet.
    Upon execution, the botnet client prints listening tun0 to the console. The malware also contains a function that ensures only one instance of this malware runs on the same device. If a botnet process already exists, the botnet client will terminate the current running process and start a new one.
    For the botnet client configuration string, the Mirai variant (like IZ1H9 and V3G4) will first initialize an encrypted string table and then retrieve the strings through an index. However, this Mirai variant will directly access the encrypted strings in the .rodata section via an index (as shown in Figure 3).
    Figure 3. Mirai variant retrieving configuration strings.
    Also, notice that for Mirai variants like IZ1H9 and V3G4, the configuration contains a string that indicates the branch name of this variant (for example, /bin/busybox IZ1H9) while this variant does not have a branch name.
    For the configuration decryption, this Mirai variant first uses a table key 0xDEADBEEF to generate a single-byte config decryption key 0x22, then for the encrypted configuration, the malware performs XOR decryption with the following bytewise operations:
    encrypted_char ^ 0x22 = decrypted_char
    During the analysis, Unit 42 researchers noticed that this Mirai sample doesn’t contain the functionality to brute force telnet/SSH login credentials and exploit vulnerabilities, which means the only channels for spreading this variant are the botnet operator’s manual vulnerability exploitation attempts.
    Conclusion
    The widespread adoption of IoT devices has become a ubiquitous trend. However, the persistent security concerns surrounding these devices cannot be ignored. The Mirai botnet, discovered back in 2016, is still active today. A significant part of the reason for its popularity among threat actors lies in the security flaws of IoT devices.
    These remote code execution vulnerabilities targeting IoT devices exhibit a combination of low complexity and high impact, making them an irresistible target for threat actors. As a result, protecting IoT devices against such threats becomes an urgent task.
    To combat this threat, it is highly recommended that patches and updates are applied when possible.
    Palo Alto Networks customers receive protection against vulnerabilities and malware through the following products and services:
    Next-Generation Firewall with a Threat Prevention security subscription can block the attacks with Best Practices via Threat Prevention signatures 30760, 37073, 37752, 54659, 54553, 54537, 54619, 58706, 57437, 55795, 57191, 90873, 92611, 93863, 92626, 92714, 93859, 92579, 93044, 93283, 93587, 93872, 93749, 93874, 93973. Advanced Threat Prevention has an inbuilt machine learning-based security detection that can detect exploit traffic in real time. WildFire can stop the malware with static signature detections. Advanced URL Filtering and DNS Security are able to block the C2 domain malware-hosting URLs. The Palo Alto Networks IoT security platform can leverage network traffic information to identify the vendor, model and firmware version of a device and identify specific devices that are vulnerable to the aforementioned CVEs. In addition, IoT Security has an inbuilt machine learning-based anomaly detection that can alert the customer if a device exhibits nontypical behavior, such as the following: The sudden appearance of traffic from a new source An unusually high number of connections An inexplicable surge of certain attributes typically appearing in IoT application payloads Palo Alto Networks has shared our findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
    Indicators of Compromise
    Shell Script Downloader Samples
    888f4a852642ce70197f77e213456ea2b3cfca4a592b94647827ca45adf2a5b8 Mirai Samples
    b43a8a56c10ba17ddd6fa9a8ce10ab264c6495b82a38620e9d54d66ec8677b0c b45142a2d59d16991a38ea0a112078a6ce42c9e2ee28a74fb2ce7e1edf15dce3 366ddbaa36791cdb99cf7104b0914a258f0c373a94f6cf869f946c7799d5e2c6 413e977ae7d359e2ea7fe32db73fa007ee97ee1e9e3c3f0b4163b100b3ec87c2 2d0c8ab6c71743af8667c7318a6d8e16c144ace8df59a681a0a7d48affc05599 4cb8c90d1e1b2d725c2c1366700f11584f5697c9ef50d79e00f7dd2008e989a0 461f59a84ccb4805c4bbd37093df6e8791cdf1151b2746c46678dfe9f89ac79d aed078d3e65b5ff4dd4067ae30da5f3a96c87ec23ec5be44fc85b543c179b777 0d404a27c2f511ea7f4adb8aa150f787b2b1ff36c1b67923d6d1c90179033915 eca42235a41dbd60615d91d564c91933b9903af2ef3f8356ec4cfff2880a2f19 3f427eda4d4e18fb192d585fca1490389a1b5f796f88e7ebf3eceec51018ef4d aaf446e4e7bfc05a33c8d9e5acf56b1c7e95f2d919b98151ff2db327c333f089 4f53eb7fbfa5b68cad3a0850b570cbbcb2d4864e62b5bf0492b54bde2bdbe44b Infrastructure
    zvub[.]us 185.225.74[.]251 185.44.81[.]114 193.32.162[.]189 Additional Resources
    TP-Link WAN-SIDE Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal - Zero Day Initiative Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns - Unit 42, Palo Alto Networks Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall - Unit 42, Palo Alto Networks Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices - Unit 42, Palo Alto Networks Mirai Variant V3G4 Targets IoT Devices - Unit 42, Palo Alto Networks Appendix
    Campaign-related vulnerability information is listed below:
    CVE-2019-12725: Zeroshell Remote Command Execution Vulnerability
    This malicious traffic was first detected as a part of the campaign on March 14, 2023. The command execution vulnerability is due to the failure to sanitize the value of x509type in the kerbynet component of Zeroshell
    Figure 4. CVE-2019-12725 exploit in the wild.
    CVE-2019-17621: D-Link DIR-859 Remote Command Injection Vulnerability
    We captured this exploit traffic on May 1, 2023. The exploit targets a command injection vulnerability in the D-Link wireless router’s /gena.cgi component, which does not successfully sanitize the user input in the service parameter. This leads to arbitrary command execution.
    Figure 5. CVE-2019-17621 exploit in the wild.
    CVE-2019-20500: D-Link DWL-2600AP Remote Command Execution Vulnerability
    The exploit was detected on April 11, 2023. The exploit works due to the D-Link wireless router admin.cgi component failing to adequately sanitize the user-supplied input data, which leads to remote command execution.
    Figure 6. CVE-2019-20500 exploit in the wild.
    CVE-2021-25296: Nagios XI Remote Command Injection Vulnerability
    We observed this exploit traffic on April 11, 2023. The exploit targets the Nagios XI device’s /nagiosxi/config/monitoringwizard.php component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote command injection attack.
    Figure 7. CVE-2021-25296 exploit in the wild.
    CVE-2021-46422: Telesquare SDT-CW3B1 Router Command Injection Vulnerability
    The malicious traffic was first detected on March 14, 2023. The command injection vulnerability is due to the failure to sanitize the value of the cmd parameter in the cgi-bin/admin.cgi interface of the Telesquare router.
    Figure 8. CVE-2021-46422 exploit in the wild.
    CVE-2022-27002: Arris TR3300 Remote Command Injection Vulnerability
    We captured this exploit traffic on April 14, 2023. The exploit targets a command injection vulnerability in the Arris TR3300’s user.cgi component, which does not successfully sanitize the user input in the DDNS_HOST parameter. This leads to a command injection.
    Figure 9. CVE-2022-27002 exploit in the wild.
    CVE-2022-29303: SolarView Compact Command Injection Vulnerability
    This exploit was detected on March 15, 2023. The exploit works due to the SolarView Compact confi_mail.php component failing to adequately sanitize the user-supplied input data, which leads to command injection.
    Figure 10. CVE-2022-29303 exploit in the wild.
    CVE-2022-30023: Tenda HG9 Router Command Injection Vulnerability
    We observed this exploit traffic on March 14, 2023. The exploit targets the Tenda HG9 router’s /boaform/formPing component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote code execution attack
    Figure 11. CVE-2022-30023 exploit in the wild.
    CVE-2022-30525: Zyxel Command Injection Vulnerability
    This malicious traffic was first detected on March 14, 2023. The command injection vulnerability is due to the failure to sanitize the value of the mtu parameter in the /cgi-bin/handler interface of Zyxel.
    Figure 12. CVE-2022-30525 exploit in the wild.
    CVE-2022-31499: Nortek Linear eMerge Command Injection Vulnerability
    We captured this exploit traffic on May 1, 2023. The exploit targets a command injection vulnerability in the Nortek Linear eMerge device’s card_scan.php component, which does not successfully sanitize the user input in the ReaderNo parameter. This leads to remote command injection.
    Figure 13. CVE-2022-31499 exploit in the wild.
    CVE-2022-37061: FLIR AX8 Unauthenticated OS Command Injection Vulnerability
    This exploit was detected on May 1, 2023. The exploit works due to the FLIR AX8 device’s res.php component failing to adequately sanitize the user-supplied input data, which leads to OS command injection.
    Figure 14. CVE-2022-37061 exploit in the wild.
    CVE-2022-40005: Intelbras WiFiber 120AC inMesh Command Injection Vulnerability
    We observed this exploit traffic on March 15, 2023. The exploit targets the Intelbras WiFiber device’s /boaform/formPing6 component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a command injection attack.
    Figure 15. CVE-2022-40005 exploit in the wild.
    CVE-2022-45699: APsystems ECU-R Remote Command Execution Vulnerability
    This malicious traffic was first detected on April 12, 2023. The remote command execution vulnerability is due to a failure to sanitize the value of the timezone parameter in the /management/set_timezone.
    Figure 16. CVE-2022-45699 exploit in the wild.
    CVE-2023-1389: TP-Link Archer Router Command Injection Vulnerability
    We captured this exploit traffic on April 12, 2023. The exploit targets a command injection vulnerability in the TP-Link Archer router’s cgi-bin/luci component, which does not successfully sanitize the user input in the country parameter. This leads to arbitrary command execution.
    Figure 17. CVE-2023-1389 exploit in the wild.
    CVE-2023-25280: D-Link DIR820LA1_FW105B03 Command injection vulnerability
    The exploit was detected on April 11, 2023. The exploit works due to the D-Link device /ping.ccp component failing to adequately sanitize the user-supplied input data, which leads to a command injection vulnerability.
    Figure 18. CVE-2023-25280 exploit in the wild.
    CVE-2023-27240: Tenda AX3 Command Injection Vulnerability
    We observed this exploit traffic on April 12, 2023. The exploit targets the Tenda AX3 router’s /goform/AdvSetLanip component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote command injection attack.
    Figure 19. CVE-2023-27240 exploit in the wild.
    CCTV/DVR Remote Code Execution
    This exploit traffic was detected on March 14, 2023. The exploit targets a remote code execution in multiple CCTV/DVR devices’ /language components. The component does not successfully sanitize the value of the HTTP parameter.
    Figure 20. CCTV/DVR exploit in the wild.
    EnGenius EnShare Remote Code Execution Vulnerability
    We detected this exploit traffic on April 12, 2023. The exploit works due to the /cgi-bin/usbinteract.cgi component of the EnGenius EnShare device failing to sanitize the value of the HTTP parameter path.
    Figure 21. EnGenius Enshare exploit in the wild.
    MVPower DVR Shell Unauthenticated Command Execution Vulnerability
    This malicious traffic was captured on April 11, 2023. The exploit works due to the MVPower DVR failing to sanitize user input, which in turn could lead to remote command execution.
    Figure 22. MVPower DVR exploit in the wild.
    Netgear DGN1000 Remote Code Execution Vulnerability
    We captured this exploit traffic on March 14, 2023. The exploit targets the setup.cgi component of Netgear DGN1000. The component does not sanitize the value of the HTTP parameter cmd, which leads to remote code execution.
    Figure 23. Netgear exploit in the wild.
    Vacron NVR Remote Code Execution Vulnerability
    We observed this exploit traffic on March 14, 2023. The exploit targets the Vacron NVR device’s board.cgi component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote code execution attack.
    Figure 24. Vacron NVR exploit in the wild.
    MediaTek WiMAX Remote Code Execution
    The exploit traffic was first detected as a part of a campaign on April 12, 2023. The remote code execution vulnerability is due to the failure to sanitize the value of the SYSLOGD_REMOTE_HOST parameter in the user.cgi interface of a MediaTek WiMAX device.

    Figure 25. MediaTek WiMAX exploit in the wild.
    By Chao Lei, Zhibin Zhang, Yiheng An and Cecilia Hu
    https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/
    SeedTheNet
    FortiOS & FortiProxy - Heap buffer overflow in sslvpn pre-authentication
    Summary
    A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
     
    Workaround:
    Disable SSL-VPN.
    Affected Products
    At least
    FortiOS-6K7K version 7.0.10
    FortiOS-6K7K version 7.0.5
    FortiOS-6K7K version 6.4.12
    FortiOS-6K7K version 6.4.10
    FortiOS-6K7K version 6.4.8
    FortiOS-6K7K version 6.4.6
    FortiOS-6K7K version 6.4.2
    FortiOS-6K7K version 6.2.9 through 6.2.13
    FortiOS-6K7K version 6.2.6 through 6.2.7
    FortiOS-6K7K version 6.2.4
    FortiOS-6K7K version 6.0.12 through 6.0.16
    FortiOS-6K7K version 6.0.10
    At least
    FortiProxy version 7.2.0 through 7.2.3
    FortiProxy version 7.0.0 through 7.0.9
    FortiProxy version 2.0.0 through 2.0.12
    FortiProxy 1.2 all versions
    FortiProxy 1.1 all versions
    At least
    FortiOS version 7.2.0 through 7.2.4
    FortiOS version 7.0.0 through 7.0.11
    FortiOS version 6.4.0 through 6.4.12
    FortiOS version 6.2.0 through 6.2.13
    FortiOS version 6.0.0 through 6.0.16
    Solutions
    Please upgrade to FortiOS-6K7K version 7.0.12 or above
    Please upgrade to FortiOS-6K7K version 6.4.13 or above
    Please upgrade to FortiOS-6K7K version 6.2.15 or above
    Please upgrade to FortiOS-6K7K version 6.0.17 or above
    Please upgrade to FortiProxy version 7.2.4 or above
    Please upgrade to FortiProxy version 7.0.10 or above
    Please upgrade to FortiOS version 7.4.0 or above
    Please upgrade to FortiOS version 7.2.5 or above
    Please upgrade to FortiOS version 7.0.12 or above
    Please upgrade to FortiOS version 6.4.13 or above
    Please upgrade to FortiOS version 6.2.14 or above
    Please upgrade to FortiOS version 6.0.17 or above
    Acknowledgement
    Fortinet is pleased to thank Charles Fol and Dany Bach from LEXFO for bringing this issue to our attention under responsible disclosure. Timeline
    2023-06-12: Initial publication
    https://www.fortiguard.com/psirt/FG-IR-23-097
    SeedTheNet
    June 13, 2023—KB5027271 (Monthly Rollup)
    Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro Less Release Date:
    6/13/2023
    Version:
    Monthly Rollup
    REMINDER Windows 8.1 reached end of support on January 10, 2023, at which point technical assistance and software updates are no longer provided. If you have devices running Windows 8.1, we recommend upgrading them to a more current, in-service, and supported Windows release. If devices do not meet the technical requirements to run a more current release of Windows, we recommend that you replace the device with one that supports Windows 11.
    Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations.
    For more information, see Windows 8.1 support will end on January 10, 2023.
    Windows Embedded 8.1 Industry Enterprise and Pro will reach end of support (EOS) on July 10, 2023. For more information, see Windows Embedded 8.1 Industry.
    For Windows Server 2012 R2, the end of support (EOS) date is October 10, 2023. Extended Security Updates (ESUs) will be available for purchase no later than October 2022, but available for installation after the EOS date, October 10, 2023. ESUs will continue for three years, renewable on an annual basis, until the final date on October 13, 2026. For more information, see Windows Server End of Support: Key Dates.
    Upgrade to Windows 10: FAQ Learn more about upgrading Windows Server
    Summary
    Learn more about this cumulative security update, including improvements, any known issues, and how to get the update.
    Note For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following article. To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history home page.
    Improvements
    This cumulative security update includes improvements that are part of update KB5026415 (released May 9, 2023). This update also contains miscellaneous security improvements to internal Windows OS functionality. No specific issues are documented for this release.
    For more information about the resolved security vulnerabilities, please refer to the Deployments | Security Update Guide and the June 2023 Security Updates.
    Known issues in this update
    We are currently not aware of any issues with this update.
    How to get this update
    Before installing this update
    We strongly recommend that you install the latest servicing stack update (SSU) for your operating system before you install the latest Monthly Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Monthly Rollup and applying Microsoft security fixes. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
    If you use Windows Update, the latest SSU (KB5027574) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog.
    Language packs
    If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update.
    Learn about adding a language pack to Windows
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro
    Classification: Security Updates
    File information
    For a list of the files that are provided in this update, download the file information for update KB5027271.
    References
    Learn about the standard terminology that is used to describe Microsoft software updates.
     
    SeedTheNet
    June 13, 2023—KB5027219 (OS Build 14393.5989)
    Windows 10, version 1607, all editions Windows Server 2016, all editions Release Date:
    6/13/2023
    Version:
    OS Build 14393.5989
    11/19/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of  Windows 10, version 1607, see its update history page.  
    Highlights
    This update addresses security issues for your Windows operating system.
    Improvements
    This security update includes quality improvements. When you install this KB: 
    This update addresses an issue that might cause a memory leak. The leak might occur during prolonged Remote Desktop audio redirection.
    This update addresses an issue that affects the Windows Kernel. This issue is related to CVE-2023-32019. To learn more, see KB5028407. 
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.  
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the June 2023 Security Updates.
    Known issues in this update
    Microsoft is not currently aware of any issues with this update.
    How to get this update
    Before installing this update
    Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    If you are using Windows Update, the latest SSU (KB5023788) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog. 
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
     
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5027219.
    SeedTheNet
    June 13, 2023—KB5027222 (OS Build 17763.4499)
    Win 10 Ent LTSC v2019 Win 10 IoT Ent LTSC v2019 Windows 10 IoT Core 2019 LTSC Windows Server 2019 Less Release Date:
    6/13/2023
    Version:
    OS Build 17763.4499
    11/17/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1809, see its update history page. 
    Highlights 
    This update addresses an issue that affects the touch keyboard. The touch keyboard Intermittently fails to open.
    This update addresses security issues for your Windows operating system. 
    Improvements
    This security update includes improvements. When you install this KB:
    This update addresses an issue that affects the Storage Spaces Direct (S2D) cluster. It might not come online. This occurs after a periodic password rollover. The error code is 1326.
    This update addresses an issue that affects the Appx State Repository. When you remove a user profile, the cleanup is incomplete. Because of this, its database grows as time passes. This growth might cause delays when users sign in to multi-user environments like FSLogix.
    This update addresses an issue that affects the Windows Remote Management (WinRM) client. The client returns an HTTP server error status (500). This error occurs when it runs a transfer job in the Storage Migration Service.
    This update addresses an issue that affects signed Windows Defender Application Control (WDAC) policies. They are not applied to the Secure Kernel. This occurs when you enable Secure Boot.
    This update addresses an issue that might affect the Local Security Authority Subsystem Service (LSASS). It might close sporadically. The system logs the exception 0xc0000710 in the Application Error event 1000. Because of this, the domain controller restarts unexpectedly. This issue affects read-only DCs (RODC) that also run Microsoft Defender Advanced Threat Protection (ATP). 
    This update addresses an issue that affects the Windows Kernel. This issue is related to CVE-2023-32019. To learn more, see KB5028407.
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the June 2023 Security Updates.
    Windows 10 servicing stack update - 17763.4121
    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. 
    Known Issues:
     
    Symptom
    Workaround
    After installing KB5001342 or later, the Cluster Service might fail to start because a Cluster Network Driver is not found.
    This issue occurs because of an update to the PnP class drivers used by this service.  After about 20 minutes, you should be able to restart your device and not encounter this issue.
    For more information about the specific errors, cause, and workaround for this issue, please see KB5003571.
    After installing updates released January 10, 2023, and later, kiosk device profiles that have auto log on enabled might not sign in automatically. After Autopilot completes provisioning, affected devices will stay on the sign-in screen prompting for credentials.
     
    We are working on a resolution and will provide an update in an upcoming release.
     
    How to get this update
    Before installing this update
    Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    Prerequisite:
    You must install the August 10, 2021 SSU (KB5005112) before installing the LCU. 
     
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
    If you want to remove the LCU
    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5027222.
    For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 17763.4121. 
     

  • Member Statistics

    39
    Total Members
    53
    Most Online
    fluoxetine cost
    Newest Member
    fluoxetine cost
    Joined


×
×
  • Create New...

Important Information

Privacy Policy

  I accept