As part of March’s Patch Tuesday, Microsoft fixed 83 vulnerabilities in its products, including two 0-day vulnerabilities under active attack.
Let me remind you that we also wrote that Microsoft Fixes 98 Vulnerabilities, Including 0-Day under Attacks, and also that 0-day vulnerability in Microsoft MHTML is exploited to attack Office 365 users.Also information security specialists wrote that Another 0-Day Bug Was Found in Microsoft Exchange, and LockBit Ransomware Operators Are Exploiting It.
One of these problems (SmartScreen bypass in Windows) is reportedly used in ransomware attacks, while the other (privilege escalation in Outlook) was used by Russian-speaking hackers.
This month, a total of nine vulnerabilities were classified as “critical” as they related to remote code execution, denial of service, and privilege escalation. In addition, 21 additional vulnerabilities were fixed in the Microsoft Edge browser.
One of the “top” issues this month was CVE-2023-23397 (9.8 out of 10 on the CVSS scale) related to privilege escalation in Microsoft Outlook. With a custom email, the issue is reportedly able to force the target device to connect to a remote URL and pass a Net-NTLMv2 hash to the Windows account.
Microsoft warns that the vulnerability is triggered automatically, before the email is read through the preview panel, because the vulnerability “triggers automatically, during download and processing by the mail server.”
According to the company, this problem was used by Russian-speaking hackers from the APT28 group (aka STRONTIUM, Sednit, Sofacy or Fancy Bear) to attack European government, military, energy and transport organizations between mid-April and December 2022.
Stolen credentials were reportedly used to traverse victims’ networks sideways and change mailbox folder permissions in Outlook, sometimes allowing specific accounts’ email to be stolen.
The second fixed 0-day under attacks, CVE-2023-24880, is related to bypassing the Windows SmartScreen security feature, and it can be used to create executable files that bypass Mark-of-the-Web warnings (files downloaded from the Internet receive such marks).
This problem was discovered by Google TAG experts, who report that the vulnerability has already been used in ransomware attacks, namely the Magniber ransomware. According to the researchers, the attackers used malicious MSI files signed with a deliberately mangled Authenticode signature, which was invalid but allowed SmartScreen to be bypassed and Mark-of-the-Web warnings to be prevented.
It is worth noting that CVE-2023-24880 is a new variation of CVE-2022-44698, which was fixed in December 2022. This problem also made it possible to bypass SmartScreen protection, and it was also used by hackers, including for spreading Qbot malware and the already mentioned Magniber encryptor.
Google explained that the appearance of the second iteration of this bug is due to the fact that in December Microsoft fixed only the problem of the abuse of JavaScript files, but did not eliminate the root cause of the error.