Microsoft Fixed Two 0-Day Vulnerabilities under Attack at Once

0-day vulnerabilities under attack
Written by Emma Davis

As part of March’s Patch Tuesday, Microsoft fixed 83 vulnerabilities in its products, including two 0-day vulnerabilities under active attack.

Let me remind you that we also wrote that Microsoft Fixes 98 Vulnerabilities, Including 0-Day under Attacks, and also that 0-day vulnerability in Microsoft MHTML is exploited to attack Office 365 users.

Also information security specialists wrote that Another 0-Day Bug Was Found in Microsoft Exchange, and LockBit Ransomware Operators Are Exploiting It.

One of these problems (SmartScreen bypass in Windows) is reportedly used in ransomware attacks, while the other (privilege escalation in Outlook) was used by Russian-speaking hackers.

This month, a total of nine vulnerabilities were classified as “critical” as they related to remote code execution, denial of service, and privilege escalation. In addition, 21 additional vulnerabilities were fixed in the Microsoft Edge browser.

One of the “top” issues this month was CVE-2023-23397 (9.8 out of 10 on the CVSS scale) related to privilege escalation in Microsoft Outlook. With a custom email, the issue is reportedly able to force the target device to connect to a remote URL and pass a Net-NTLMv2 hash to the Windows account.

Attackers can send specially crafted emails that will cause the victim to connect to an external UNC controlled by the attacker. This will leak the victim’s Net-NTLMv2 hash, and the attacker will be able to authenticate on behalf of the victim.Microsoft developers say.

Microsoft warns that the vulnerability is triggered automatically, before the email is read through the preview panel, because the vulnerability “triggers automatically, during download and processing by the mail server.”

According to the company, this problem was used by Russian-speaking hackers from the APT28 group (aka STRONTIUM, Sednit, Sofacy or Fancy Bear) to attack European government, military, energy and transport organizations between mid-April and December 2022.

Stolen credentials were reportedly used to traverse victims’ networks sideways and change mailbox folder permissions in Outlook, sometimes allowing specific accounts’ email to be stolen.

The second fixed 0-day under attacks, CVE-2023-24880, is related to bypassing the Windows SmartScreen security feature, and it can be used to create executable files that bypass Mark-of-the-Web warnings (files downloaded from the Internet receive such marks).

An attacker can create a malicious file that can bypass Mark-of-the-Web (MOTW) protection, resulting in limited loss of integrity and disabling security features such as Protected View in Microsoft Office that rely on MOTW marks.Microsoft specialists explain.

This problem was discovered by Google TAG experts, who report that the vulnerability has already been used in ransomware attacks, namely the Magniber ransomware. According to the researchers, the attackers used malicious MSI files signed with a deliberately mangled Authenticode signature, which was invalid but allowed SmartScreen to be bypassed and Mark-of-the-Web warnings to be prevented.

Since January 2023, TAG has recorded more than 100,000 downloads of malicious MSI files, of which more than 80% were downloaded by users in Europe, which differs markedly from Magniber’s usual targeting, which is more often targeted at South Korea and Taiwan.the experts said.

It is worth noting that CVE-2023-24880 is a new variation of CVE-2022-44698, which was fixed in December 2022. This problem also made it possible to bypass SmartScreen protection, and it was also used by hackers, including for spreading Qbot malware and the already mentioned Magniber encryptor.

Google explained that the appearance of the second iteration of this bug is due to the fact that in December Microsoft fixed only the problem of the abuse of JavaScript files, but did not eliminate the root cause of the error.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply