CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to protect Windows systems from a high-severity vulnerability in Microsoft Streaming Services (MSKSSRV.SYS) that is being actively exploited.
This security flaw (tracked as CVE-2023-29360) is due to an untrusted pointer dereference vulnerability that allows a local attacker to gain SYSTEM privileges via a low-complexity attack that does not require user interaction. It will look like this.
CVE-2023-29360 was discovered in the Microsoft Streaming Service Proxy (MSKSSRV.SYS) by Thomas Imbert of Synactiv and reported to Microsoft through Trend Micro’s Zero Day Initiative. Redmond fixed this bug during his June 2023 Patch Tuesday, and three months later he released a proof-of-concept exploit on September 24th. His code was dropped to his GitHub.
The US Cybersecurity Agency did not provide details about the ongoing attack, but confirmed that it had found no evidence that the vulnerability was used in a ransomware attack.
CISA this week added the bug to its catalog of known and exploited vulnerabilities, warning that such security bugs “are frequent attack vectors for malicious cyber attackers and pose significant risks to federal enterprises.” did. As mandated by the Binding Operational Directive (BOD 22-01) issued in November 2021, federal agencies must install this security feature on their Windows systems within three weeks (by March 21). Patches for bugs must be applied.
Although CISA’s KEV Catalog is primarily focused on alerting federal agencies to security flaws that need to be addressed as soon as possible, private organizations around the world are also using it to block ongoing attacks. Patching this vulnerability is recommended as a priority.
Used in malware attacks since August
American-Israeli cybersecurity firm Check Point provided more information about the vulnerability last month, saying that Raspberry Robin malware attacks have been exploiting CVE-2023-29360 since August 2023.
“We examined Raspberry Robin samples from before October and found that the CVE-2023-29360 exploit was also used. This vulnerability was published in June and used by Raspberry Robin in August. ” said Check Point.
“Although this is a very easy vulnerability to exploit, the fact that the exploit author had a working sample before there was a known exploit on GitHub is a testament to how quickly Raspberry Robin was able to exploit it. It’s just as impressive as how it was used.”
Raspberry Robin is a malware with worm capabilities that appeared in September 2021 and primarily spreads via USB drives. Although its creator is unknown, it has been linked to multiple cybercrime groups, including EvilCorp and the Clop ransomware gang.
Microsoft announced in July 2022 that it had discovered Raspberry Robin malware on the networks of hundreds of organizations across various industry sectors.
Since its discovery, the worm has continuously evolved, adopting new delivery tactics and adding new features such as evasion of dropping bogus payloads to mislead researchers.