Safeguarding Against Ransomware Attacks Targeting Windows Vulnerabilities

Cybercriminals have recently been exploiting a pair of Windows zero-day vulnerabilities to increase their access to compromised systems, obtain sensitive data, evade security protocols, establish backdoors, and launch ransomware attacks. These zero-day flaws, designated as CVE-2023-23397 and CVE-2023-24880, affect Microsoft Outlook and the Windows SmartScreen security function, respectively.

A zero-day vulnerability is a security loophole actively exploited by hackers while the software vendor remains unaware of its existence. Consequently, they have no opportunity to develop and release a patch to address the issue. In the present case, a Russia-based threat group has actively exploited CVE-2023-23397, using it to target government, military, energy, and transportation organizations in Europe.

Microsoft has shared confidential information with a select group of customers, indicating that this flaw’s exploitation has been ongoing since April 2022, nearly an entire year. Meanwhile, the Magniber ransomware group has actively exploited the second vulnerability, CVE-2023-24880, since at least January 2023, according to Google.

Microsoft addressed both vulnerabilities on March 14, 2023, when it released its monthly patch for supported Windows products. Both flaws are remotely exploitable and do not require privileges, meaning that attackers do not need to compromise existing user accounts on the target system to exploit them.

Outlook’s Critical Vulnerability

CVE-2023-23397 is a critical-severity vulnerability that enables threat actors to carry out an NTLM relay attack, forcing a connection from the target device to an external UNC location. This action allows attackers to steal the victim’s hash, which they then use for authentication.

By hijacking email accounts, threat actors gain access to private information, launch internal phishing attacks on colleagues, and deepen their infiltration into corporate networks. Unfortunately, CVE-2023-23297 is relatively easy to exploit. An independent security analyst publicly released a proof-of-concept (PoC) exploit on the same day Microsoft disclosed the vulnerability, showcasing its exploitation.

As a result of the PoC’s public release, adversaries are expected to quickly incorporate it into their attack strategies, targeting organizations that have not yet applied the available security updates.

Zero-Day Ransomware Attacks

The second zero-day flaw addressed this month, CVE-2023-24880, is a security bypass vulnerability that allows attackers to create malicious MSI files. When executed by the victim, these files do not display the Windows Mark of the Web warning. Google’s Threat Analysis Group discovered the medium-severity flaw and reported that the Magniber ransomware gang, known for targeting large organizations and private individuals, is exploiting it.

Google reported the issue to Microsoft on February 15, 2023. However, evidence suggests that Magniber has actively exploited the vulnerability since January 2023, with over 100,000 downloads of the specific MSI files used in the attacks. The fact that a medium-tier ransomware group exploited a zero-day vulnerability in Microsoft Windows demonstrates the ingenuity and determination of these financially motivated cybercriminals.

Ransomware Removal and Recovery Services by MonsterCloud .

Staying informed about the latest cyber threats and vulnerabilities is crucial in today’s interconnected world. Utilising MonsterCloud’s ransomware removal and ransomware recovery services is a step towards securing your organization’s digital assets and ensuring business continuity in the face of relentless cyberattacks. Our expertise in ransomware removal and recovery services can be invaluable in helping your organization recover quickly and efficiently.

In the unfortunate event that your organization falls victim to a ransomware attack, MonsterCloud’s team of experienced cybersecurity professionals can step in to mitigate the damage and help you get back on track. Our services focus on removing the ransomware infection, recovering lost or encrypted data, and advising on best practices to prevent future incidents.

Related Posts

No results found.