Vulnerability CVE-2023-36025 is actively used by cybercriminals.
Microsoft recently released a security update to address a critical zero-day vulnerability in SmartScreen security technology in the Windows operating system. However, the exploit for this vulnerability was already used by attackers before the update was released.
Now there is an example of a proof - of-concept exploit (PoC) of this vulnerability, designated as CVE-2023-36025. The appearance of an exploit increases the need for organizations to fix the problem if they have not already taken appropriate action.
the vulnerability allows you to bypass SmartScreen protection and pass malicious code past security checks in Windows Defender. For exploitation, an attacker needs to force the user to click on a specially created Internet shortcut (. URL) or a link to such a file.
Microsoft rates the attack complexity as low. You can exploit the vulnerability remotely with low privileges. It is present in Windows 10, Windows 11, and Windows Server 2008 and later.
A recently published PoC shows how an attacker can generate a legitimate-looking but malicious one. The URL file and distribute it, for example, via a phishing email. A user who clicks on the file will be redirected to a malicious site or run malicious code without SmartScreen warnings.
Among those who exploit the vulnerability CVE-2023-36025, the TA544 group is a financially motivated hacker group that has been active since 2017. The group has used various malware tools in campaigns targeting organizations in Western Europe and Japan, and is known for distributing the Ursnif banking Trojan (Gozi) and the more sophisticated second-stage downloader WikiLoader.
Recently, a researcher from Proofpoint recorded the use of TA544 vulnerability CVE-2023-36025 in a campaign with Remcos, a remote access Trojan that various hacker groups use to remotely control and monitor compromised Windows devices. In the current campaign, hackers created a unique web page with links leading to .URL of the file with the path to the virtual hard disk file (.vhd) or to .a zip file hosted on a compromised site. CVE-2023-36025 allows attackers to automatically mount VHDs on systems by simply opening .URL of the file, the researcher noted.
CVE-2023-36025 is the third zero-day vulnerability in SmartScreen that Microsoft disclosed this year.
Microsoft recently released a security update to address a critical zero-day vulnerability in SmartScreen security technology in the Windows operating system. However, the exploit for this vulnerability was already used by attackers before the update was released.
Now there is an example of a proof - of-concept exploit (PoC) of this vulnerability, designated as CVE-2023-36025. The appearance of an exploit increases the need for organizations to fix the problem if they have not already taken appropriate action.
the vulnerability allows you to bypass SmartScreen protection and pass malicious code past security checks in Windows Defender. For exploitation, an attacker needs to force the user to click on a specially created Internet shortcut (. URL) or a link to such a file.
Microsoft rates the attack complexity as low. You can exploit the vulnerability remotely with low privileges. It is present in Windows 10, Windows 11, and Windows Server 2008 and later.
A recently published PoC shows how an attacker can generate a legitimate-looking but malicious one. The URL file and distribute it, for example, via a phishing email. A user who clicks on the file will be redirected to a malicious site or run malicious code without SmartScreen warnings.
Among those who exploit the vulnerability CVE-2023-36025, the TA544 group is a financially motivated hacker group that has been active since 2017. The group has used various malware tools in campaigns targeting organizations in Western Europe and Japan, and is known for distributing the Ursnif banking Trojan (Gozi) and the more sophisticated second-stage downloader WikiLoader.
Recently, a researcher from Proofpoint recorded the use of TA544 vulnerability CVE-2023-36025 in a campaign with Remcos, a remote access Trojan that various hacker groups use to remotely control and monitor compromised Windows devices. In the current campaign, hackers created a unique web page with links leading to .URL of the file with the path to the virtual hard disk file (.vhd) or to .a zip file hosted on a compromised site. CVE-2023-36025 allows attackers to automatically mount VHDs on systems by simply opening .URL of the file, the researcher noted.
CVE-2023-36025 is the third zero-day vulnerability in SmartScreen that Microsoft disclosed this year.
