Every second Tuesday of the month, Microsoft releases many security fixes to several of its software solutions. This is known as “Patch Tuesday.” This time, several critical vulnerabilities and zero-days have been remediated. A total of five zero-day vulnerabilities, three critical vulnerabilities, and more than 50 other vulnerabilities of varying severity were addressed. This report covers only the most critical and notable vulnerabilities.
A targeted cyber-attack involving the abuse of the ScreenConnect remote access tool has been identified, impacting multiple healthcare organizations in the U.S. Notably, the threat actors exploited local ScreenConnect instances affiliated with Transaction Data Systems (TDS), a comprehensive pharmacy supply chain and management systems provider. The attacks were detected between October 28 and November 8, 2023, with ongoing activity raising concerns. The assailants, identified by Huntress, a managed security research organization, demonstrated advanced tactics, installing additional tools like AnyDesk to maintain persistent access.
A Critical vulnerability has been identified within NetApp products categorized as CVE-2023-45871. This vulnerability was identified was discovered and reported to NVD on 10/19/2023 and was recently reported affecting NetApp products on 11/10/2023. This vulnerability affects Linux kernel versions prior to 6.5.3 and as multiple NetApp products utilize the Linux kernel, they are vulnerable.
A zero-day vulnerability has been identified in SysAid On-Prem Software known as CVE-2023-47246. Not much information is available about this vulnerability in the National Vulnerability Database, but SysAid has provided a blog post explaining the situation. On November 2nd, 2023, a potential vulnerability on their on-premises software was brought to their attention. Through internal and third-party services, they concluded that a zero-day vulnerability existed in the SysAid On-Prem Software. The vulnerability was identified as a path traversal vulnerability leading to code execution which was exploited by a threat actor known as Lace Tempest, identified by the Microsoft Threat Intelligence team.
A vulnerability of critical-severity Chas been identified on several QNAP operating system versions. It is identified as CVE-2023-23368 and has a CVSS score of 9.8. If exploited it can allow users to execute commands via a network according to QNAP.
A critical vulnerability has been identified for the Cisco Firepower Management Center (FMC) Software known as CVE-2023-20048, CVSS score 9.9. It can allow for an authenticated, remote attacker to execute unauthorized configuration commands on a firepower threat defense device managed by this software. To exploit this vulnerability, an attacker would need valid credentials on the FMC software.
On October 15, 2023, healthcare giant Henry Schein fell victim to a cyberattack by the BlackCat (ALPHV) ransomware gang. The attack forced the company to take precautionary measures, resulting in temporary disruptions to its manufacturing and distribution businesses. Henry Schein, a Fortune 500 company with operations in 32 countries and revenue exceeding $12 billion in 2022, promptly notified law enforcement authorities and engaged external cybersecurity experts to investigate a potential data breach. The organization's network was compromised through a cyberattack by the BlackCat (ALPHV) ransomware gang. The specific attack method has not yet been disclosed. Initial signs of the incident were detected on October 14, 2023.
UPDATE: CISA has added this vulnerability (CVE-2023-46747) to their known exploited vulnerabilities list as of 11/2/2023. The vendor has also updated their security bulletin under the "Indicators of compromise" section as they have observed threat actors using this vulnerability in conjunction with CVE-2023-46748 to perform an exploit. Patch now!
Apache Active MQ, a scalable open-source message broker, has a critical vulnerability. It is identified as CVE-2023-46604 a Critical rated vulnerability with a CVSS 3.0 score of 10, the maximum value. According to NVD, it is a remote code execution vulnerability which may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol.