Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management
Microsoft Fixes Russia-Exploited Zero-Day
Patch Tuesday Fixes Address 80 Vulnerabilities, Including 8 Critical OnesMicrosoft's March dump of patches fixes two actively exploited zero-day vulnerabilities, including a critical severity issue in the Outlook email client that Russian threat actors are using to target European companies.
See Also: Securing Your Workforce with Datto RMM: Automating Patching, Hardening, and Backups
The other zero-day vulnerability is a moderately severe security feature bypass vulnerability in the Windows SmartScreen, a cloud-based anti-phishing and anti-malware software.
The Redmond computing giant also released fixes for at least 78 other vulnerabilities, nine of which are rated critical bugs that allow remote code execution, denial of service or elevation of privilege attacks. Seventy-one are classified as important.
The zero-day exploited by Russia, tracked as CVE-2023-23397, is a Microsoft Outlook elevation of privilege vulnerability that allows a remote, unauthenticated attacker to send a specially crafted email that leaks the targeted user's hashed Windows account password, allowing the attacker to authenticate into other systems. This type of attack is known as Pass the Hash.
"A skilled attacker could send an email that triggers the vulnerability when it is retrieved and processed by the email server - in other words, even before it reaches the Preview Pane, let alone is opened," wrote Sophos.
Mandiant says the Russian GRU hacking group known as APT28 - also dubbed Fancy Bear - has been exploiting the vulnerability since last April, deploying it against government agencies and logistics, oil, defense and transportation industries located in Poland, Ukraine, Romania and Turkey. Patch quickly, the firm advises. "This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term. The race has already begun," said John Hultquist, head of Mandiant Intelligence Analysis.
Microsoft also identified a second zero-day, tracked as CVE-2023-24880, which allows a security feature bypass on Windows SmartScreen, an anti-phishing and anti-malware component offered as an endpoint protection service with several Microsoft products.
"A specially crafted file could evade Mark of the Web defenses and thus avoid the enhanced scrutiny usually applied to files downloaded from the internet," said Adam Barnett, lead software engineer at Rapid7.
Microsoft rated this vulnerability as moderately severe, with a relatively low CVSS v3 of 5.4, as it requires user interaction to work and only affects Windows software versions 10 and 11, as well as Server 2016 onward.
More Bugs
Other critical vulnerabilities include those found in Internet Control Message Protocol, which is a remote code execution vulnerability tracked as CVE-2023-23415. With a CVSS risk score of 9.8, the vulnerability exploits the ICMP protocol, which is used by commands such as ping.
"An attacker can use this weakness to send a low-level protocol error, containing a fragmented IP packet within another ICMP packet header, to the target machine. To activate the flaw, an application on the target must be connected to a raw socket. This vulnerability could result in remote code execution," said Mike Walters, vice president of vulnerability and threat research at Action1.
Another vulnerability is one on the HTTP Protocol Stack. The remote code execution flaw, tracked as CVE-2023-23392, can enable an attacker to send a specially crafted packet to a targeted server that use the HTTP Protocol Stack to process packets.
"This can lead to remote code execution, posing a significant security risk. The vulnerability affects Windows Server 2022 and Windows 11 and has a low-complexity attack vector that requires no privileges or user interaction. While there is no evidence of exploitation yet, it is highly likely to occur," Walters said.