The Banyan Security Blog

Storm-0558 and More: July’s Biggest Security Headlines

by | Aug 08, 2023

While vulnerabilities and zero-days are nothing new, sometimes the pace at which new ones can trend can be quite astonishing. The recent Microsoft vulnerability involving Storm-0558 is the one gaining most coverage, and has the most fallout (especially since it involves state-sponsored adversaries). It also doesn’t help that Microsoft recently announced its new SSE solutions: Entra Private Access and Entra Internet Access. But let’s get to unpacking that below…

Microsoft Hack: Storm-0558

 

On July 11 2023, Microsoft disclosed that a Chinese-sponsored hacking group called Storm-0558 had exploited a flaw in Microsoft’s cloud email service to gain access to the email accounts of U.S. government employees. The hacking group compromised an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.

 

The flaw exploited by Storm-0558 allowed the group to forge authentication tokens to access user accounts. These tokens are used to authenticate users to Microsoft’s cloud email service, and they are typically generated by the user’s device. However, Storm-0558 was able to steal these tokens from users’ devices by exploiting a vulnerability in the Windows operating system.

 

Once Storm-0558 had access to the user accounts, they were able to read and send emails, as well as access other information stored in the accounts. Microsoft said that the group did not appear to have deleted any emails or taken any other malicious actions.

 

Microsoft has since patched the vulnerability exploited by Storm-0558, and the company is working with affected organizations to help them secure their accounts. The company has also warned other organizations to be on the lookout for similar attacks.

 

The hacking of U.S. government email accounts by Storm-0558 is a reminder that even large organizations with strong security measures in place can be vulnerable to cyberattacks. It is important for all organizations to have a layered security approach that includes both technical and procedural controls.

 

Here are some additional details about the Storm-0558 hack:

 

The group is believed to be based in China.

  • The group has been active since at least 2019.
  • The group is known for targeting government agencies and other organizations in the United States and Europe.
  • The group’s methods include spear phishing, password spraying, and exploiting vulnerabilities in software.
  • The group has been linked to a number of other high-profile cyberattacks, including the hack of the SolarWinds Orion software.

 

Microsoft has said that it is “committed to working with law enforcement to bring those responsible to justice.” The company has also said that it is “taking steps to further strengthen our security posture and protect our customers.”

 

 

CISCO AnyConnect Vulnerability CVE-2023-20178

 

CVE-2023-20178 is a vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. This vulnerability could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM.

 

The vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

 

The vulnerability was first reported to Cisco on June 16, 2023 by Filip Dragovic, who later released a POC on June 18. Cisco released a security advisory on June 23, 2023, and released patches for affected versions of the software on July 14, 2023.

 

The following versions of Cisco AnyConnect and Cisco Secure Client are affected by this vulnerability:

  • Cisco AnyConnect Secure Mobility Client Software for Windows 4.10.06079 and earlier
  • Cisco Secure Client Software for Windows 5.0.01242 and earlier

 

To mitigate this vulnerability, Cisco recommends that users update to the latest version of the software. Users can also download the security advisory from the Cisco website.

 

The following are the steps that an attacker could take to exploit this vulnerability:

 

  • Connect to a VPN using Cisco AnyConnect or Cisco Secure Client.
  • Once the VPN connection is established, the client update process will be executed.
  • A temporary directory will be created in C:\Windows\Temp with default permissions.
  • The attacker can abuse a specific function of the Windows installer process to delete the temporary directory.
  • If the temporary directory is deleted, the installer process will fail.
  • The installer process will then try to restart itself with elevated privileges.
  • If the attacker is able to control the restart process, they can execute code with SYSTEM privileges.

 

This vulnerability is rated as High severity by Cisco. Users should update to the latest version of the software as soon as possible to mitigate this vulnerability.

 

Fortinet RCE Flaw

 

The Fortinet Remote Code Execution (RCE) flaw in FortiNAC is a critical vulnerability that could allow an unauthenticated attacker to execute arbitrary code on vulnerable devices. The vulnerability is tracked as CVE-2023-33299 and has a CVSS score of 9.6.

 

The vulnerability exists due to a deserialization flaw in the FortiNAC web application. An attacker could exploit this vulnerability by sending specially crafted HTTP requests to the FortiNAC web server. A successful exploit could allow the attacker to execute arbitrary code on the FortiNAC device, which could then be used to gain control of the network.

 

The vulnerability affects FortiNAC versions 7.2.0 through 9.4.2. Fortinet has released patches for all affected versions of FortiNAC. Users are advised to apply the patches as soon as possible to mitigate this vulnerability.

 

The following are the steps that an attacker could take to exploit this vulnerability:

  • Gather the IP address of the FortiNAC device.
  • Craft a specially crafted HTTP request that contains malicious serialized data.
  • Send the HTTP request to the FortiNAC web server.
  • If the exploit is successful, the attacker will be able to execute arbitrary code on the FortiNAC device.

 

The following are some of the risks associated with this vulnerability:

  • An attacker could gain control of the FortiNAC device and use it to launch further attacks on the network.
  • An attacker could steal sensitive data from the FortiNAC device, such as user credentials or network configuration information.
  • An attacker could disrupt the operation of the FortiNAC device, causing network outages or service disruptions.

 

Users are advised to apply the patches for FortiNAC as soon as possible to mitigate this vulnerability. Fortinet has also provided a mitigation workaround that can be used to protect vulnerable devices until the patches can be applied.

 

The following are the steps to implement the mitigation workaround:

  • Disable the FortiNAC web application.
  • Configure the FortiNAC device to only allow connections from trusted hosts.
  • Monitor the FortiNAC device for signs of compromise.

 

The mitigation workaround will not prevent an attacker from exploiting the vulnerability, but it will make it more difficult for them to do so. Users are advised to apply the patches for FortiNAC as soon as possible to fully mitigate this vulnerability.

 

Curious how Banyan protects against vulnerabilities? Attend our weekly demo each Tuesday or set up a custom demo today.

 

author avatar
Ashur Kanoon
See Full Bio