01/04/2024-01/10/2024 4 Windows Update Patches 48 New Vulnerabilities, CISA Flags 6 Vulnerabilities, Hackers Target Microsoft SQL Servers And More.

1. Microsoft’s January 2024 Windows Update Patches 48 New Vulnerabilities

Microsoft rolled out Patch Tuesday updates for January 2024, fixing 48 security flaws across its software. Two critical and 46 important bugs were addressed, none publicly known or actively attacked. This marks the second consecutive Patch Tuesday with no zero-days. The fixes include nine for the Chromium-based Edge browser, patching a zero-day actively exploited (CVE-2023-7024). Among the critical patches this month: CVE-2024-20674, allowing bypass of Windows Kerberos security, and CVE-2024-20700, enabling remote code execution in Windows Hyper-V. Exploiting CVE-2024-20674 demands network access, while CVE-2024-20700 doesn’t require authentication but needs a race condition win for remote code execution. Notable flaws involve privilege escalation in CLFS (CVE-2024-20653) and a security bypass affecting SQL clients (CVE-2024-0056).

2. CISA Flags 6 Vulnerabilities – Apple, Apache, Adobe , D-Link, Joomla Under Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six actively exploited security flaws to its Known Exploited Vulnerabilities (KEV) catalog. Among them is CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability in Apache Superset allowing remote code execution, fixed in version 2.1.
CISA also highlighted five other flaws:

• CVE-2023-38203 (CVSS score: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data
• CVE-2023-29300 (CVSS score: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data
• CVE-2023-41990 (CVSS score: 7.8) – Apple Multiple Products Code Execution
• CVE-2016-20017 (CVSS score: 9.8) – D-Link DSL-2750B Devices Command Injection
• CVE-2023-23752 (CVSS score: 5.3) – Joomla! Improper Access Control
  Notably, CVE-2023-41990, fixed by Apple in iOS 15.7.8 and iOS 16.3, was exploited in Operation Triangulation spyware attacks via a crafted iMessage PDF attachment. Federal Civilian Executive Branch agencies are urged to apply fixes by January 29, 2024, to counter active threats.

3. Alert: New Vulnerabilities Discovered in QNAP and Kyocera Device Manager

Kyocera’s Device Manager product is susceptible to a disclosed security flaw (CVE-2023-50916) allowing attackers to coerce authentication attempts to malicious resources, potentially leading to data theft and NTLM relay attacks. The vulnerability arises from a path traversal issue, now resolved in Kyocera Device Manager version 3.1.1213.0.
In a related development, QNAP addressed multiple high-severity vulnerabilities:

• CVE-2023-39296: Prototype pollution flaw in QTS and QuTS hero.
• CVE-2023-47559: XSS vulnerability in QuMagie.
• CVE-2023-47560: OS command injection flaw in QuMagie.
• CVE-2023-41287: SQL injection vulnerability in Video Station.
• CVE-2023-41288: OS command injection flaw in Video Station.
• CVE-2022-43634: Unauthenticated remote code execution flaw in Netatalk.

While no evidence of exploitation exists, users are urged to update to the latest versions of affected products to mitigate potential risks.

4. Alert: Ivanti Releases Patch for Critical Vulnerability in Endpoint Manager Solution

Ivanti addressed critical vulnerabilities in its Endpoint Manager (EPM) and Avalanche solutions. CVE-2023-39336 impacts EPM versions 2021 and 2022 (pre-SU5), posing a risk of remote code execution through SQL injection, with a severity score of 9.6.
In a separate update, Ivanti resolved 21 flaws in Avalanche, 13 of which were critical buffer overflows (CVSS scores: 9.8), patched in Avalanche 6.4.2. These could lead to denial-of-service or code execution if exploited by attackers sending specially crafted data packets to the Mobile Device Server.
While no evidence exists of exploitation, it’s worth noting that state-backed actors previously exploited zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti’s Endpoint Manager Mobile (EPMM) to breach Norwegian government networks. Users should apply the provided updates to mitigate potential risks.

5. Hackers Target Microsoft SQL Servers In Mimic Ransomware Attacks

A financially motivated Turkish hacking group, known as RE#TURGENCE, is targeting Microsoft SQL (MSSQL) servers worldwide with Mimic (N3ww4v3) ransomware. The campaign, affecting targets in the EU, U.S., and Latin America, typically ends with either selling compromised host access or deploying ransomware. The attackers exploit insecurely configured MSSQL servers, utilizing xp_cmdshell for command shell access. They employ heavily obfuscated Cobalt Strike payloads, launch AnyDesk for remote desktop access, and collect credentials using Mimikatz. The Mimic ransomware, dropped via AnyDesk, encrypts files and displays a ransom note. The group’s tactics link them to Phobos ransomware attacks. Securonix previously exposed a similar campaign (DB#JAMMER) targeting MSSQL servers with Mimic ransomware in the past year. Users are advised to secure MSSQL configurations to mitigate risks.