Intel releases patches for high severity ‘Reptar’ CPU vulnerability

SISA Weekly Threat Watch 27 November, 2023

Last week’s cybersecurity landscape was marked by a diverse array of threats impacting major technology sectors and software systems worldwide. These included five actively exploited zero-day vulnerabilities addressed by Microsoft, an Intel CPU vulnerability, deceptive Google ads leading to malware installations, LockBit attacks exploiting Citrix Bleed, and a North Korean hacker group launching supply chain attacks. These threats emphasize the urgency of immediate updates and robust security measures against evolving cyber risks

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Microsoft releases patch updates for 5 new zero-days, 58 flaws 

For the month of November, Microsoft rolled out patches to resolve 58 security vulnerabilities in its software, and five zero-day vulnerabilities actively exploited in the wild. Among them, three are categorized as Critical, 56 as Important, and four as Moderate in severity. Three critical zero-day vulnerabilities, CVE-2023-36033, CVE-2023-36036, and CVE-2023-36025, pose severe risks within Windows systems. While the first two allow attackers to attain SYSTEM privileges, the latter has the potential to bypass Windows Defender SmartScreen checks.

Notably, the recurrence of Windows SmartScreen-related zero-days has drawn attention, marking the fourth such exploit within two years. Additionally, CVE-2023-36413 enables attackers to bypass Office Protected View, coercing files to open in edit mode, while CVE-2023-36038 concerns HTTP requests to .NET 8 RC 1 running on the IIS InProcess hosting model. Users are advised to install security updates to mitigate potential threats.

2. A newly identified Intel CPU vulnerability affects multi-tenant virtualized environments

Intel has issued patches to address a high-severity vulnerability named Reptar, which affects its desktop, mobile, and server CPUs. The identified issue possesses the potential to enable “escalation of privilege and/or information disclosure and/or denial of service via local access.” Google Cloud has noted that successful exploitation of this vulnerability could allow bypassing the CPU’s security boundaries.

This vulnerability’s impact becomes evident when exploited in a multi-tenant virtualized environment. An attacker’s exploit on a guest machine has the capacity to crash the host machine, resulting in a Denial of Service for other guest machines operating on the same host. However, there is no evidence of any active attacks using this vulnerability. To patch the vulnerability, it is recommended to go through the updated microcode for all affected processors, published by Intel.

3. Deceptive Google ads exploit WinSCP users, leading to malware installations

Cybersecurity experts have detected the SEO#LURKER campaign, a scheme exploiting modified search results and deceptive Google ads to lure users into unwittingly installing malware under the guise of authentic software like WinSCP. The exploit begins with the compromised WordPress site gameeweb[.]com, redirecting users to a phishing site through a malicious ad. Utilizing Google’s Dynamic Search Ads (DSAs), the misleading ads drive victims to a fraudulent WinSCP site (winccp[.]net), encouraging them to download malware concealed within a ZIP file (“WinSCP_v.6.1.zip”).

Upon execution, the embedded DLL side-loads malicious Python scripts, disguised as a legitimate WinSCP setup, communicating with a remote server to facilitate command execution on the compromised system. To avoid such threats, users are advised to download files from reputable sources, verify URLs for authenticity, and confirm file integrity through trusted checksums.

4. CISA issues warning on LockBit attacks exploiting Citrix Bleed vulnerability 

CISA has issued an advisory update regarding the critical software vulnerability named Citrix Bleed, affecting Citrix NetScaler ADC and NetScaler Gateway, disclosing that LockBit threat actors began exploiting the flaw as early as August, even after the vulnerability was patched the previous month. Four different UNC groups identified, including LockBit, were actively exploiting CVE-2023-4966 across various industry verticals globally.

This exploit allows threat actors to bypass password requirements and multi-factor authentication (MFA) on Citrix appliances, hijacking sessions with access to valid cookies. LockBit’s utilization involves executing PowerShell scripts, leveraging remote management tools like AnyDesk and Splashtop, and accessing system memory information via crafted HTTP GET requests. To mitigate risks, recommendations include isolating NetScaler appliances, applying patches, implementing application controls, and enforcing strict access controls and monitoring protocols.

5. North Korean hackers distribute trojanized CyberLink software in supply chain attack

Microsoft has reported that a North Korean hacker group infiltrated CyberLink, a Taiwanese multimedia software company, turning one of its installers into a malware distribution vehicle in a supply chain attack. The compromised installer, found on over 100 devices globally, was altered by the Diamond Sleet (also known as ZINC, Labyrinth Chollima, and Lazarus) cyberespionage group, using a valid code signing certificate from CyberLink.

This trojanized software, dubbed LambLoad, selectively targets systems lacking specific security software. It retrieves a second-stage payload from command-and-control servers, concealing it within a fake PNG file. Although no active infiltration was detected, the Lazarus group is notorious for data theft, infiltrating software environments, and persistent access. Recommendations include deploying robust endpoint protection, monitoring certificates, and enhancing supply chain security to prevent similar threats.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider