CISA is sounding the alarm, urging government departments to update as soon as possible.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an order to agencies of the Federal Executive branch of the US Civil Administration (FCEB) to strengthen the protection of their Windows systems from a critical vulnerability in the Microsoft Streaming service, which is currently actively used in hacker attacks.
The vulnerability, designated CVE-2023-29360 and rated 8.4 on the CVSS scale, involves dereferencing an untrusted pointer (Untrusted Pointer Dereference), allowing attackers with local access to gain SYSTEM privileges. Successful implementation of the attack does not require user interaction, and in general, the operation of CVE-2023-29360 refers to low-complexity attacks.
The vulnerability was discovered in the Microsoft Streaming proxy service (MSKSSRV.SYS) last year. It was immediately reported to Microsoft through Trend Micro's ZDI initiative. The discovery is attributed to Thomas Imbert of Synactiv.
Microsoft released a patch to address this vulnerability in June 2023 as part of the Patch Tuesday update. And three months later, on September 24, the corresponding PoC exploit was published on GitHub.
Despite the fact that the vulnerability was fixed long ago in current versions of the software, it does not mean that all US government departments and other organizations using Microsoft Steaming deigned to update their software during this considerable period of time.
CISA does not disclose details about attacks that exploit this vulnerability, but confirms that there is no evidence of its use in ransomware attacks.
The Agency also added this vulnerability to its Catalog of Known Exploited Vulnerabilities (KEV), warning of a high risk to federal agencies and calling for its immediate elimination in accordance with BOD Directive 22-01 of November 2021. Federal agencies are required to fix the vulnerability in their Windows systems within three weeks, until March 21.
Although the KEV catalog is aimed primarily at federal agencies, private organizations around the world will also need to quickly update their software to prevent attacks.
Check Point, a cybersecurity company, recently reported that the aforementioned vulnerability CVE-2023-29360 has been used since August 2023 to ensure the operation of the Raspberry Robin malware.
Raspberry Robin is a malware with worm capabilities that was first detected in September 2021 and is distributed via USB drives. The creators of the virus are unknown, but it is linked to several groups of cybercriminals, including EvilCorp and the Clop gang, which uses extortionate software.
Microsoft announced in July 2022 that it had detected Raspberry Robin malware in the networks of hundreds of organizations in various industries. Since its introduction, this worm has been constantly evolving, using new delivery tactics and increasing its functionality, including dropping fake payloads to mislead researchers.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an order to agencies of the Federal Executive branch of the US Civil Administration (FCEB) to strengthen the protection of their Windows systems from a critical vulnerability in the Microsoft Streaming service, which is currently actively used in hacker attacks.
The vulnerability, designated CVE-2023-29360 and rated 8.4 on the CVSS scale, involves dereferencing an untrusted pointer (Untrusted Pointer Dereference), allowing attackers with local access to gain SYSTEM privileges. Successful implementation of the attack does not require user interaction, and in general, the operation of CVE-2023-29360 refers to low-complexity attacks.
The vulnerability was discovered in the Microsoft Streaming proxy service (MSKSSRV.SYS) last year. It was immediately reported to Microsoft through Trend Micro's ZDI initiative. The discovery is attributed to Thomas Imbert of Synactiv.
Microsoft released a patch to address this vulnerability in June 2023 as part of the Patch Tuesday update. And three months later, on September 24, the corresponding PoC exploit was published on GitHub.
Despite the fact that the vulnerability was fixed long ago in current versions of the software, it does not mean that all US government departments and other organizations using Microsoft Steaming deigned to update their software during this considerable period of time.
CISA does not disclose details about attacks that exploit this vulnerability, but confirms that there is no evidence of its use in ransomware attacks.
The Agency also added this vulnerability to its Catalog of Known Exploited Vulnerabilities (KEV), warning of a high risk to federal agencies and calling for its immediate elimination in accordance with BOD Directive 22-01 of November 2021. Federal agencies are required to fix the vulnerability in their Windows systems within three weeks, until March 21.
Although the KEV catalog is aimed primarily at federal agencies, private organizations around the world will also need to quickly update their software to prevent attacks.
Check Point, a cybersecurity company, recently reported that the aforementioned vulnerability CVE-2023-29360 has been used since August 2023 to ensure the operation of the Raspberry Robin malware.
Raspberry Robin is a malware with worm capabilities that was first detected in September 2021 and is distributed via USB drives. The creators of the virus are unknown, but it is linked to several groups of cybercriminals, including EvilCorp and the Clop gang, which uses extortionate software.
Microsoft announced in July 2022 that it had detected Raspberry Robin malware in the networks of hundreds of organizations in various industries. Since its introduction, this worm has been constantly evolving, using new delivery tactics and increasing its functionality, including dropping fake payloads to mislead researchers.
