CVE-2023-36884
published 2023-07-11CVE-2023-36884: Windows Search Remote Code Execution Vulnerability
PriorityP190high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-08-29
Exploited in the wild
EPSS
99.08%
99.9th percentile
Windows Search Remote Code Execution Vulnerability
Affected
41 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_1507 | < 10.0.10240.20107 | 10.0.10240.20107 |
| microsoft | windows_10_1607 | < 10.0.14393.6167 | 10.0.14393.6167 |
| microsoft | windows_10_1809 | < 10.0.17763.4737 | 10.0.17763.4737 |
| microsoft | windows_10_21h2 | < 10.0.19044.3324 | 10.0.19044.3324 |
| microsoft | windows_10_22h2 | < 10.0.19044.3324 | 10.0.19044.3324 |
| microsoft | windows_10_version_1507 | >= 10.0.10240.0 < 10.0.10240.20107 | 10.0.10240.20107 |
| microsoft | windows_10_version_1607 | >= 10.0.14393.0 < 10.0.14393.6167 | 10.0.14393.6167 |
| microsoft | windows_10_version_1809 | >= 10.0.0 < 10.0.17763.4737 | 10.0.17763.4737 |
| microsoft | windows_10_version_1809 | >= 10.0.17763.0 < 10.0.17763.4737 | 10.0.17763.4737 |
| microsoft | windows_10_version_21h2 | >= 10.0.19043.0 < 10.0.19044.3324 | 10.0.19044.3324 |
| microsoft | windows_10_version_22h2 | >= 10.0.19045.0 < 10.0.19045.3324 | 10.0.19045.3324 |
| microsoft | windows_11_21h2 | < 10.0.22000.2295 | 10.0.22000.2295 |
| microsoft | windows_11_22h2 | < 10.0.22621.2134 | 10.0.22621.2134 |
| microsoft | windows_11_version_21h2 | >= 10.0.0 < 10.0.22000.2295 | 10.0.22000.2295 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.2134 | 10.0.22621.2134 |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2008_r2_service_pack_1 | >= 6.1.7601.0 < 6.1.7601.26664 | 6.1.7601.26664 |
| microsoft | windows_server_2008_service_pack_2 | >= 6.0.6003.0 < 6.0.6003.22216 | 6.0.6003.22216 |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2012 | >= 6.2.9200.0 < 6.2.9200.24414 | 6.2.9200.24414 |
| microsoft | windows_server_2012_r2 | >= 6.3.9600.0 < 6.3.9600.21503 | 6.3.9600.21503 |
| microsoft | windows_server_2016 | < 10.0.14393.6167 | 10.0.14393.6167 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.6167 | 10.0.14393.6167 |
| microsoft | windows_server_2019 | < 10.0.17763.4737 | 10.0.17763.4737 |
| microsoft | windows_server_2019 | >= 10.0.17763.0 < 10.0.17763.4737 | 10.0.17763.4737 |
Detection & IOCsextracted from sources · hover to see the quote
urlhxxps://www.ukrainianworldcongress[.]info/sites/default/files/document/forms/2023/Overview_of_UWCs_UkraineInNATO_campaign.docx↗
registryHKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION↗
- →Detect child processes spawned by Microsoft Office applications on Windows as a sign of CVE-2023-36884 exploitation ↗
- →The exploit chain uses a .docx file containing an altChunk element referencing an embedded afchunk.rtf (OLE2LINK), which in turn contains two malicious OLE objects — one using objautlink (OLE autolink with objupdate) to reach an SMB URL, and another using xmlfile class with a URLMoniker to fetch start.xml via HTTP ↗
- →The exploit abuses the Windows Search Handler via JavaScript in file001.htm that loads a .search-ms saved search file via iframes, enabling further stages of the attack chain ↗
- →PEAPOD/ROMCOM falls back to raw TCP on port 442 or ICMP if HTTPS C2 is unreachable; monitor for unusual outbound TCP/442 or ICMP from Office-related processes ↗
- →When the victim's host accesses the SMB URL embedded in the OLE object, it leaks NTLM credentials to the attacker-controlled server; monitor for outbound SMB connections to external IPs originating from Office processes ↗
- ·Exploitation requires the victim to open the malicious document; no zero-click vector has been confirmed ↗
- ·The FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key mitigation must be applied to all relevant Office binaries (Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPnt.exe, Visio.exe, WinProj.exe, WinWord.exe, Wordpad.exe) to be effective ↗
- ·Successful exploitation of CVE-2023-36884 via this specific lure requires the .docx file to NOT be tagged with Mark-of-the-Web (MotW); if MotW is present, Protected View is enabled and the exploit chain is disrupted ↗
- ·The PEAPOD/ROMCOM C2 server enforces TLS 1.2 via WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2, meaning the malware cannot infect systems running Windows 7 or earlier (TLS negotiation fails) ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.5HIGH
cisa7.5HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gwrc-vqcf-v9v4: Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products
ghsa_unreviewed·2023-07-11
CVE-2023-36884 [HIGH] CWE-362 GHSA-gwrc-vqcf-v9v4: Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products
Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.
An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Please see the Microsoft
VulnCheck
Microsoft Windows Search Remote Code Execution Vulnerability
vulncheck·2023·CVSS 7.5
CVE-2023-36884 [HIGH] CWE-362 Microsoft Windows Search Remote Code Execution Vulnerability
Microsoft Windows Search Remote Code Execution Vulnerability
Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file, leading to remote code execution.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2023-Jul; https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/; https://unit42.paloaltonetworks.com/cve-2023-3688
CISA
Microsoft Windows Search Remote Code Execution Vulnerability
cisa·2023-07-17·CVSS 7.5
CVE-2023-36884 [HIGH] CWE-362 Microsoft Windows Search Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Search Remote Code Execution Vulnerability
Affected: Microsoft Windows
Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file, leading to remote code execution.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884; https://nvd.nist.gov/vuln/detail/CVE-2023-36884
Remediation Due Date: 2023-08-29
Microsoft
Windows Search Remote Code Execution Vulnerability
vendor_msrc·2023-07-11·CVSS 7.5
CVE-2023-36884 [HIGH] CWE-362 Windows Search Remote Code Execution Vulnerability
Windows Search Remote Code Execution Vulnerability
FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to win a race condition.
FAQ: According to the CVSS metric, successful exploitation of this vulnerability could lead to high loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?
An attacker can plant a malicious file evading Mark of the Web (MOTW) defenses which can result in code execution on the victim system.
FAQ: How could an attacker exploit the vulnerability?
In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed
Suricata
ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M1
suricata·2023-07-12·CVSS 7.5
CVE-2023-36884 [HIGH] ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M1
ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M1
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M1"; flow:established,to_server; flowbits:set,ET.CVE-2023-36884.Storm-0978; http.method; content:"GET"; http.uri; content:"/MSHTML_"; content:"/start.xml"; fast_pattern; endswith; reference:url,blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit; reference:cve,2023-36884; classtype:attempted-admin; sid:2046810; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_07_12, cve CVE_2023_36884, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, tag Storm_0978
Suricata
ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M2
suricata·2023-07-12·CVSS 7.5
CVE-2023-36884 [HIGH] ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M2
ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M2
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M2"; flow:established,to_server; flowbits:isset,ET.CVE-2023-36884.Storm-0978; http.method; content:"GET"; http.uri; content:"/MSHTML_"; content:".asp?d="; fast_pattern; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}_[a-f0-9]{5}_/R"; reference:url,blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit; reference:cve,2023-36884; classtype:attempted-admin; sid:2046811; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_07_12, cve CVE_2023_36884, deployment Perimeter, performance_impact Low, confide
No public exploits indexed.
Securelist
Exploits and vulnerabilities in Q1 2026
blogs_securelist·2026-05-07·CVSS 7.8
CVE-2026-21519 [HIGH] Exploits and vulnerabilities in Q1 2026
Alexander Kolesnikov
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
CVE-2026-21519: Desktop Window Manager vulnerability
RegPwn (CVE-2026-21533): a system settings access control vulnerability
CVE-2026-21514: a Microsoft Office vulnerability
Clawdbot (CVE-2026-25253): an OpenClaw vulnerability
CVE-2026-34070: LangChain framework vulnerability
CVE-2026-22812: an OpenCode vulnerability
Conclusion and advice
Authors
Alexander Kolesnikov
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Off
Securelist
Vulnerability landscape in Q4 2025
blogs_securelist·2026-03-06
Vulnerability landscape in Q4 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Notable vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.
## Statistics on registered vulnerabilities
This section contains statistics on regis
Securelist
Exploits and vulnerabilities in Q4 2025
blogs_securelist·2026-03-06·CVSS 7.8
CVE-2025-55182 [HIGH] Exploits and vulnerabilities in Q4 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
React2Shell (CVE-2025-55182): a vulnerability in React Server Components
CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)
CVE-2025-11001: a vulnerability in 7-Zip
RediShell (CVE-2025-49844): a vulnerability in Redis
CVE-2025-24990: a vulnerability in the ltmdm64.sys driver
CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)
Conclusion and advice
Authors
Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vul
Bleepingcomputer
Details emerge on WinRAR zero-day attacks that infected PCs with malware
blogs_bleepingcomputer·2025-08-11·CVSS 7.5
CVE-2025-8088 [HIGH] Details emerge on WinRAR zero-day attacks that infected PCs with malware
## Details emerge on WinRAR zero-day attacks that infected PCs with malware
## Bill Toulas
Researchers have released a report detailing how a recent WinRAR path traversal vulnerability tracked as CVE-2025-8088 was exploited in zero-day attacks by the Russian 'RomCom' hacking group to drop different malware payloads.
RomCom (aka Storm-0978 and Tropical Scorpius) is a Russian cyberespionage threat group with a history in zero-day exploitation, including in Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Office (CVE-2023-36884).
ESET discovered that RomCom was exploiting an undocumented path traversal zero-day vulnerability in WinRAR on July 18, 2025, and notified the team behind the popular archiver tool.
"Analysis of the exploit led to the discovery of the vulnerability, now assi
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Bleepingcomputer
Firefox and Windows zero-days exploited by Russian RomCom hackers
blogs_bleepingcomputer·2024-11-26·CVSS 8.8
CVE-2024-9680 [HIGH] Firefox and Windows zero-days exploited by Russian RomCom hackers
## Firefox and Windows zero-days exploited by Russian RomCom hackers
## Sergiu Gatlan
Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Europe and North America.
The first flaw ( CVE-2024-9680 ) is a use-after-free bug in Firefox's animation timeline feature that allows code execution in the web browser's sandbox. Mozilla patched this vulnerability on October 9, 2024, one day after ESET reported it.
The second zero-day exploited in this campaign is a privilege escalation flaw ( CVE-2024-49039 ) in the Windows Task Scheduler service, allowing attackers to execute code outside the Firefox sandbox. Microsoft addressed this security vulnerability earlier this month, on November 12.
RomCom abused the
Bleepingcomputer
Underground ransomware claims attack on Casio, leaks stolen data
blogs_bleepingcomputer·2024-10-10·CVSS 7.5
[HIGH] Underground ransomware claims attack on Casio, leaks stolen data
## Underground ransomware claims attack on Casio, leaks stolen data
## Bill Toulas
The Underground ransomware gang has claimed responsibility for an October 5 attack on Japanese tech giant Casio, which caused system disruptions and impacted some of the firm's services.
Earlier this week, Casio disclosed the attack on its website but withheld details about the incident, saying it had engaged external IT specialists to investigate whether personal data or other confidential information was stolen in the attack.
Today, the Underground ransomware group has added Casio on its dark web extortion portal, leaking troves of data allegedly stolen from the Japanese firm.
The leaked data includes:
Confidential documents (社外秘)
Legal documents
Personal data of employees
Confidential NDA's
Empl
Fortinet
Ransomware Roundup - Underground | FortiGuard Labs
blogs_fortinet·2024-08-30·CVSS 7.5
[HIGH] Ransomware Roundup - Underground | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Ransomware Roundup - Underground
Underground Ransomware Overview
Infection Vector
Attack Method
Victimology and Data Leak Site
Fortinet Protections
IOCs
FortiGuard Labs Guidance
Best Practices Include Not Paying a Ransom
How Fortinet Can Help
By Shunichi Imano, James Slaughter and Fred Gutierrez | August 30, 2024
FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers the Underground ransomware.
Affected platforms: Microsoft Windows
Impacted parties: M
Securelist
Exploits and vulnerabilities in Q2 2024
blogs_securelist·2024-08-21·CVSS 7.8
CVE-2024-26169 [HIGH] Exploits and vulnerabilities in Q2 2024
Table of Contents
Statistics on registered vulnerabilities
Vulnerability exploitation statistics
Windows and Linux vulnerability exploitation
Most common exploits
Vulnerability exploitation in APT attacks
Exploiting vulnerable drivers to attack operating systems
BYOVD attack tools
Interesting vulnerabilities
CVE-2024-26169 (WerKernel.sys)
CVE-2024-26229 (csc.sys)
CVE-2024-4577 (PHP CGI)
Takeaways and recommendations
Authors
Vitaly Morgunov
Alexander Kolesnikov
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not h
Securelist
Analyzing the vulnerability landscape in Q2 2024
blogs_securelist·2024-08-21·CVSS 7.8
CVE-2024-26169 [HIGH] Analyzing the vulnerability landscape in Q2 2024
Table of Contents
- Statistics on registered vulnerabilities
- Vulnerability exploitation statistics
- Vulnerability exploitation in APT attacks
- Exploiting vulnerable drivers to attack operating systems
- Interesting vulnerabilities
- CVE-2024-26169 (WerKernel.sys)
- CVE-2024-26229 (csc.sys)
- CVE-2024-4577 (PHP CGI)
- Takeaways and recommendations
Authors
- Vitaly Morgunov
- Alexander Kolesnikov
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not have to be fresh, since attackers themselves deliver unpatched drivers to t
Tenable
Microsoft Patch Tuesday 2023 Year in Review
blogs_tenable·2023-12-12
Microsoft Patch Tuesday 2023 Year in Review
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
PC malware statistics, Q3 2023
blogs_securelist·2023-12-01
PC malware statistics, Q3 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2023:
- Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe.
- A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus
Securelist
IT threat evolution in Q3 2023. Non-mobile statistics
blogs_securelist·2023-12-01
IT threat evolution in Q3 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Vulnerability exploitation
More attacks on healthcare
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT honeypots
Attacks via web resources
Countries and territories that serve as sourc
Unit42
In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
blogs_unit42·2023-11-13·CVSS 5.4
CVE-2023-36584 [MEDIUM] In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
## Executive Summary
During our analysis of a July 2023 campaign targeting groups supporting Ukraine's admission into NATO, we discovered a new vulnerability for bypassing Microsoft's Mark-of-the-Web (MotW) security feature. This activity has been attributed by the community to the pro-Russian APT group known as Storm-0978 (also known as the RomCom Group, in reference to their use of the RomCom backdoor). This group used a highly complex and well-developed exploit chain leveraging a remote code execution (RCE) vulnerability in Microsoft Office designated CVE-2023-36884 to infect its targets with malware.
Our investigation revealed a new exploit method related to CVE-2023-36884 that can bypass MotW. Microsoft awarded our team a bug bounty and assigned CVE-2023-36584 (CVSS score 5) to this
Unit42
In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
blogs_unit42·2023-11-13·CVSS 5.4
CVE-2023-36884 [MEDIUM] In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
Threat Research Center
Threat Research
Vulnerabilities
## In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
Eli Birkan
Dan Yashnik
Oriel Cochavi
Bar Lahav
Mike Harbison
Published: November 13, 2023
Malware
Threat Research
Vulnerabilities
CVE-2023-36584
CVE-2023-36884
Exploit
Microsoft Office
Microsoft Vulnerability
Remote Code Execution
RomCom
Storm-0978
Ukraine
## Executive Summary
During our analysis of a July 2023 campaign targeting groups supporting Ukraine's admission into NATO, we discovered a new vulnerability for bypassing Microsoft's Mark-of-the-Web (MotW) security feature. This activity has been attributed by the community to the pro-Russian APT group known as Storm-0978 (also known as the RomCom Group, in referenc
Trendmicro
Void Rabisu mit verschlankter Backdoor
blogs_trendmicro·2023-10-17
Void Rabisu mit verschlankter Backdoor
Ausnutzung von Schwachstellen
## Void Rabisu mit verschlankter Backdoor
Die jüngste Kampagne der Malware Void Rabisu zielte auf den Women Political Leaders (WPL) Summit im Juni und deutet darauf hin, dass die Hintermänner ihren Fokus auf hochrangige Spionage verlegt haben. Unsere Analyse zeigt, wie das funktioniert.
By: Feike Hacquebord, Fernando Merces Oct 17, 2023 Read time: ( words)
Save to Folio
Void Rabisu ist ein Intrusion Set, das sowohl mit finanziell motivierten Ransomware-Angriffen als auch mit gezielten Kampagnen gegen die Ukraine und Länder, die die Ukraine unterstützen , in Verbindung gebracht wird. Zu den bisherigen Zielen des Bedrohungsakteurs gehörten die ukrainische Regierung und das Militär, der Energie- und Wasserversorgungssektor, EU-Politiker, Sprecher einer besti
Trendmicro
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
blogs_trendmicro·2023-10-13
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
APT & Targeted Attacks
## Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Almost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on cyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor.
By: Feike Hacquebord, Fernando Merces Oct 13, 2023 Read time: ( words)
Save to Folio
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine . Among the threat actor’s previous targets were the Ukrainian government and military, their energy and water utility sectors, EU politicians, spokespersons of a certain EU government, and security conference participants. In campaigns
Trendmicro
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
blogs_trendmicro·2023-10-13
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
APT & Targeted Attacks
# Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Almost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on cyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor.
By: Feike Hacquebord, Fernando Merces
2023/10/13
Read time: ( words)
Save to Folio
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine. Among the threat actor’s previous targets were the Ukrainian government and military, their energy and water utility sectors, EU politicians, spokespersons of a certain EU government, and security conference participants. In campaigns con
Trendmicro
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
blogs_trendmicro·2023-10-13
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
APT & Targeted Attacks
## Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Almost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on cyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor.
By: Feike Hacquebord, Fernando Merces 2023/10/13 Read time: ( words)
Save to Folio
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine . Among the threat actor’s previous targets were the Ukrainian government and military, their energy and water utility sectors, EU politicians, spokespersons of a certain EU government, and security conference participants. In campaigns co
Trendmicro
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
blogs_trendmicro·2023-10-13
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
APT & attacchi mirati
## Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Almost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on cyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor.
By: Feike Hacquebord, Fernando Merces Oct 13, 2023 Read time: ( words)
Save to Folio
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine . Among the threat actor’s previous targets were the Ukrainian government and military, their energy and water utility sectors, EU politicians, spokespersons of a certain EU government, and security conference participants. In campaigns c
Trendmicro
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
blogs_trendmicro·2023-10-13
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
APT y ataques dirigidos
## Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Almost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on cyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor.
By: Feike Hacquebord, Fernando Merces Oct 13, 2023 Read time: ( words)
Save to Folio
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine . Among the threat actor’s previous targets were the Ukrainian government and military, their energy and water utility sectors, EU politicians, spokespersons of a certain EU government, and security conference participants. In campaigns
Sentinelone
Beyond the WebP Flaw | An In-depth Look at 2023's Browser Security Challenges
blogs_sentinelone·2023-10-03
Beyond the WebP Flaw | An In-depth Look at 2023's Browser Security Challenges
This week, Firefox users were urged to apply Mozilla’s latest updates against a critical flaw that could allow attackers to take control of affected systems. It follows hard on the heels of similar updates for Microsoft Edge, Google Chrome, and Apple’s Safari browser. All have been heavily impacted by an actively exploited vulnerability in the WebP code library.
Although the WebP vulnerability affects other software as well, browsers are by far and away the most ubiquitous and widely used applications on end user devices . Having a foothold in a compromised browser gives threat actors access to sensitive information and potential avenues into targeted environments.
In this post, we take a deep dive into browser security , exploring the differences between vulnerabilities and exploits, ze
Sentinelone
Beyond the WebP Flaw | An In-depth Look at 2023's Browser Security Challenges
blogs_sentinelone·2023-10-03
Beyond the WebP Flaw | An In-depth Look at 2023's Browser Security Challenges
This week, Firefox users were urged to apply Mozilla’s latest updates against a critical flaw that could allow attackers to take control of affected systems. It follows hard on the heels of similar updates for Microsoft Edge, Google Chrome, and Apple’s Safari browser. All have been heavily impacted by an actively exploited vulnerability in the WebP code library.
Although the WebP vulnerability affects other software as well, browsers are by far and away the most ubiquitous and widely used applications on end user devices. Having a foothold in a compromised browser gives threat actors access to sensitive information and potential avenues into targeted environments.
In this post, we take a deep dive into browser security, exploring the differences between vulnerabilities and exploits, zero
Krebs
Microsoft Patch Tuesday, August 2023 Edition
blogs_krebs·2023-08-09·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday, August 2023 Edition
Microsoft Corp. today issued software updates to plug more than 70 security holes in its Windows operating systems and related products, including multiple zero-day vulnerabilities currently being exploited in the wild.
Six of the flaws fixed today earned Microsoft’s “critical” rating, meaning malware or miscreants could use them to install software on a vulnerable Windows system without any help from users.
Last month, Microsoft acknowledged a series of zero-day vulnerabilities in a variety of Microsoft products that were discovered and exploited in-the-wild attacks. They were assigned a single placeholder designation of CVE-2023-36884 .
Satnam Narang , senior staff research engineer at Tenable, said the August patch batch addresses CVE-2023-36884 , which involves bypassing the Windows
Krebs
Microsoft Patch Tuesday, August 2023 Edition
blogs_krebs·2023-08-09·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday, August 2023 Edition
Microsoft Corp. today issued software updates to plug more than 70 security holes in its Windows operating systems and related products, including multiple zero-day vulnerabilities currently being exploited in the wild.
Six of the flaws fixed today earned Microsoft’s “critical” rating, meaning malware or miscreants could use them to install software on a vulnerable Windows system without any help from users.
Last month, Microsoft acknowledged a series of zero-day vulnerabilities in a variety of Microsoft products that were discovered and exploited in-the-wild attacks. They were assigned a single placeholder designation of CVE-2023-36884.
Satnam Narang, senior staff research engineer at Tenable, said the August patch batch addresses CVE-2023-36884, which involves bypassing the Windows Se
Qualys
Microsoft and Adobe Patch Tuesday, August 2023 Security Update Review
blogs_qualys·2023-08-08
Microsoft and Adobe Patch Tuesday, August 2023 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for August 2023
Adobe Patches for August 2023
Zero-day Vulnerabilities Patched in August Patch Tuesday Edition
Other Critical Severity Vulnerabilities Patched in August Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
Qualys Monthly Webinar Series
Microsoft has released its August edition of Patch Tuesday. This month’s updates have addressed 89 security vulnerabilities in multiple products, features, and roles.
## Microsof
Tenable
Microsoft’s August 2023 Patch Tuesday Addresses 73 CVEs (CVE-2023-38180)
blogs_tenable·2023-08-08·CVSS 7.5
[HIGH] Microsoft’s August 2023 Patch Tuesday Addresses 73 CVEs (CVE-2023-38180)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Microsoft Patch Tuesday & Adobe August 2023 Security Fixes | Qualys
blogs_qualys·2023-08-08
Microsoft Patch Tuesday & Adobe August 2023 Security Fixes | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for August 2023
- Adobe Patches for August 2023
- Zero-day Vulnerabilities Patched in August Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in August Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
- Qualys Monthly Webinar Series
Microsoft has released its August edition of Patch Tuesday. This month’s updates have addressed 89 security vulnerabilities in multiple products, features, and roles
Wiz
Crying Out Cloud - July Newsletter | Wiz
blogs_wiz·2023-08-01·CVSS 4.3
CVE-2023-2640 [MEDIUM] Crying Out Cloud - July Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights for July!
## ✨ Highlights
## GameOver (lay): local privilege escalation vulnerabilities in Ubuntu Linux
Wiz Research discovered CVE-2023-2640 and CVE-2023-32629, two easy-to-exploit privilege escalation vulnerabilities in the OverlayFS module in Ubuntu affecting 40% of Ubuntu cloud workloads.
CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. Successful
Wiz
#6 - Chinese Spies Acquire Keys To The Azure Kingdom | Wiz
blogs_wiz·2023-07-30·CVSS 7.5
[HIGH] #6 - Chinese Spies Acquire Keys To The Azure Kingdom | Wiz
Podcast
## #6 - Chinese Spies Acquire Keys To The Azure Kingdom
Chinese Hackers Steal US Gov Emails
Silent Bob & the Team TNT Comeback
Russian Hackers Exploit Office Zero Day
Footloose's 2023 Object-Oriented Sequel: PyLoose
## Resources
https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/
https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
https://www.wired.com/story/microsoft-cloud-attack-china-hackers/
https://arstechnica.com/security/2023/07/microsoft-takes-pains-to-obscure-ro
Checkpoint
17th July – Threat Intelligence Report
blogs_checkpoint·2023-07-17
CVE-2023-36884 17th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 17th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 17th July, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Colorado State University (CSU) has been affected by ransomware gang Cl0p’s MOVEit Managed File Transfer attack. The threat actors compromised the University’s service vendors, which resulted in an unauthorized access to personal information of students and employees dating back to at least 2021. The exposed data includes names,
Qualys
Evaluate Your Windows Endpoints for Storm-0978 Activity With Qualys Endpoint Security
blogs_qualys·2023-07-14·CVSS 7.8
CVE-2023-32046 [HIGH] Evaluate Your Windows Endpoints for Storm-0978 Activity With Qualys Endpoint Security
## Table of Contents
Summary:
Remediation:
Vulnerability Analysis:
Exploit Detection using Qualys EDR:
VMDR:
Related IOCs:
## Summary:
On July 11, Microsoft released security bulletins to fix 132 vulnerabilities. With the July Patch Tuesday, Microsoft also remediated six zero-day vulnerabilities . For your quick reference, the following are the zero-day vulnerabilities:
CVE-2023-32046 – Windows MSHTML Platform Elevation of Privilege Vulnerability
CVE-2023-32049 – Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-36874 – Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability
CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability
ADV230001 – Guidance on
Qualys
Evaluate Your Windows Endpoints for Storm-0978 Activity With Qualys Endpoint Security | Qualys
blogs_qualys·2023-07-14·CVSS 7.8
CVE-2023-32046 [HIGH] Evaluate Your Windows Endpoints for Storm-0978 Activity With Qualys Endpoint Security | Qualys
#### Table of Contents
- Summary:
- Remediation:
- Vulnerability Analysis:
- Exploit Detection using Qualys EDR:
- VMDR:
- Related IOCs:
## Summary:
On July 11, Microsoft released security bulletins to fix 132 vulnerabilities. With the July Patch Tuesday, Microsoft also remediated six zero-day vulnerabilities. For your quick reference, the following are the zero-day vulnerabilities:
1. CVE-2023-32046 – Windows MSHTML Platform Elevation of Privilege Vulnerability
2. CVE-2023-32049 – Windows SmartScreen Security Feature Bypass Vulnerability
3. CVE-2023-36874 – Windows Error Reporting Service Elevation of Privilege Vulnerability
4. CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability
5. CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability
6. ADV
Unit42
CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief (Updated)
blogs_unit42·2023-07-12·CVSS 7.5
CVE-2023-36884 [HIGH] CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief (Updated)
## Executive Summary
With July's Patch Tuesday release, Microsoft disclosed a zero-day Office and Windows HTML Remote Code Execution Vulnerability, CVE-2023-36884, which it rated "important" severity. Microsoft has observed active in-the-wild exploitation of this vulnerability using specially crafted Microsoft Office documents. It should be noted that exploitation requires the user to open the malicious document.
Unit 42 Threat Intelligence can confirm that this vulnerability has been utilized since at least July 3, 2023. Further analysis is being conducted; an update will be made to this Threat Brief as the analysis is completed.
Microsoft has released a patch for Microsoft Office that stops the attack chain leading to execution of this vulnerability. For those unable to patch, they re
Krebs
Apple & Microsoft Patch Tuesday, July 2023 Edition
blogs_krebs·2023-07-12·CVSS 7.8
[HIGH] Apple & Microsoft Patch Tuesday, July 2023 Edition
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
On July 10, Apple pushed a “Rapid Security Response” update to fix a code execution flaw in the Webkit browser component built into iOS, iPadOS, and macOS Ventura. Almost as soon as the patch went out, Apple pulled the software because it was reportedly causing problems loading certain websites. MacRumors says Apple will likely re-release the patches when the glitch
Unit42
CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief (Updated)
blogs_unit42·2023-07-12·CVSS 7.5
CVE-2023-36884 [HIGH] CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief (Updated)
Threat Research Center
High Profile Threats
Vulnerabilities
## CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief (Updated)
Unit 42
Published: July 12, 2023
High Profile Threats
Threat Research
Vulnerabilities
CVE-2023-36884
Microsoft Office
Microsoft Windows
Remote Code Execution
ROMCOM RAT
## Executive Summary
With July's Patch Tuesday release, Microsoft disclosed a zero-day Office and Windows HTML Remote Code Execution Vulnerability, CVE-2023-36884, which it rated "important" severity. Microsoft has observed active in-the-wild exploitation of this vulnerability using specially crafted Microsoft Office documents. It should be noted that exploitation requires the user to open the malicious document.
Unit 42 Threat Intelligence can co
Krebs
Apple & Microsoft Patch Tuesday, July 2023 Edition
blogs_krebs·2023-07-11·CVSS 7.8
[HIGH] Apple & Microsoft Patch Tuesday, July 2023 Edition
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
On July 10, Apple pushed a “Rapid Security Response” update to fix a code execution flaw in the Webkit browser component built into iOS, iPadOS, and macOS Ventura. Almost as soon as the patch went out, Apple pulled the software because it was reportedly causing problems loading certain websites. MacRumors says Apple will likely re-release the patches when the glitch
Qualys
Microsoft and Adobe Patch Tuesday, July 2023 Security Update Review
blogs_qualys·2023-07-11·CVSS 7.8
[HIGH] Microsoft and Adobe Patch Tuesday, July 2023 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for July 2023
Adobe Patches for July 2023
Zero-day Vulnerabilities Patched in July Patch Tuesday Edition
Other Critical Severity Vulnerabilities Patched in July Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
Qualys Monthly Webinar Series
Microsoft has released July’s edition of Patch Tuesday! This installment of security updates addressed 132 security vulnerabilities in various products, features, and roles.
## Microsoft
Tenable
Microsoft’s July 2023 Patch Tuesday Addresses 130 CVEs (CVE-2023-36884)
blogs_tenable·2023-07-11·CVSS 7.5
[HIGH] Microsoft’s July 2023 Patch Tuesday Addresses 130 CVEs (CVE-2023-36884)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Microsoft and Adobe Patch Tuesday, July 2023 Security Update Review | Qualys
blogs_qualys·2023-07-11·CVSS 7.8
[HIGH] Microsoft and Adobe Patch Tuesday, July 2023 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for July 2023
- Adobe Patches for July 2023
- Zero-day Vulnerabilities Patched in July Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in July Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
- Qualys Monthly Webinar Series
Microsoft has released July’s edition of Patch Tuesday! This installment of security updates addressed 132 security vulnerabilities in various products, features, and roles.
Sentinelone
Black Basta
blogs_sentinelone·2022-11-30
Black Basta
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Crowdstrike
July 2023 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] July 2023 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Eset
Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability
blogs_eset·CVSS 7.5
CVE-2023-36884 [HIGH] Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability
ESET researchers have discovered a previously unknown vulnerability in WinRAR, being exploited in the wild by Russia-aligned group RomCom. This is at least the third time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild. Previous examples include the abuse of CVE-2023-36884 via Microsoft Word in June 2023, and the combined vulnerabilities assigned CVE‑2024‑9680 chained with another previously unknown vulnerability in Windows, CVE‑2024‑49039, targeting vulnerable versions of Firefox, Thunderbird, and the Tor Browser, leading to arbitrary code execution in the context of the logged-in user in October 2024.
> Key points of this blogpost:
>
> - If you use WinRAR or other affected components such as the Windows versions of its command line utilities, UnRA
Sentinelone
Black Basta
blogs_sentinelone
Black Basta
# Black Basta Ransomware: In-Depth Analysis, Detection, and Mitigation
## Summary of Black Basta Ransomware
Black Basta first emerged in early 2022. The ransomware family is an evolution of the Hermes/Ryuk/Conti families. Black Basta was heavily advertised in underground cybercrime markets. Black Basta practices double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data. There are Windows and LInux variants of Black Basta ransomware. The group is responsible for hundreds of attacks against global targets of varying sectors.
February 2025 Update: Nearly a year’s worth of Black Basta chat logs have been released on Telegram, providing detailed insight into the groups operational workflow, reconnaissance activities, and specific userID and details o
Crowdstrike
August 2023 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] August 2023 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
arXiv
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
arxiv_fulltext·2025-02-16
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
Yuning Jiang
[email protected]
0000-0003-4791-8452
National University of Singapore
Singapore
Nay Oo
[email protected]
NCS Cyber Special Ops R&D
Singapore
Qiaoran Meng
[email protected]
National University of Singapore
Singapore
Hoon Wei Lim
[email protected]
NCS Cyber Special Ops R&D
Singapore
Biplab Sikdar
[email protected]
National University of Singapore
Singapore
Jiang et al.
## Abstract
As interconnected systems proliferate, safeguarding complex infrastructures against an escalating array of cyber threats has become an urgent challenge. The growing number of vulnerabilities, coupled with resource constraints, makes addressing every vulnerability impractical, thereby rende
2023-07-11
Published
2023-07-17
Added to CISA KEV
Exploited in the wild