Excerpt from MsPoweruser Article, Published on Mar, 06, 2024

After a high-severity vulnerability was found in the Microsoft Streaming Service (MSKSSRV.SYS), which was actively used in malware attacks, the Cybersecurity and Infrastructure Security Agency (CISA) told U.S. Federal Civilian Executive Branch (FCEB) agencies to make their Windows systems safer.

Identified as CVE-2023-29360, the security flaw stems from an untrusted pointer dereference weakness within the Microsoft Streaming Service Proxy (MSKSSRV.SYS), allowing local attackers to attain SYSTEM¬† privileges through low-complexity attacks devoid of user interaction. The discovery of CVE-2023-29360 was credited to Thomas Imbert of Synactiv, who reported it to Microsoft via Trend Micro’s Zero Day Initiative. Microsoft addressed the vulnerability during the June 2023 Patch Tuesday. However, proof-of-concept exploit code surfaced on GitHub three months later, on September 24. While CISA has not disclosed specifics regarding ongoing attacks, it has affirmed the absence of evidence indicating exploitation for ransomware purposes.

This week, CISA included the vulnerability in its Known Exploited Vulnerabilities Catalog, emphasizing the significant risks it poses to federal systems. Pursuant to a binding operational directive (BOD 22-01) issued in November 2021, federal agencies are mandated to patch their Windows systems against this vulnerability within three weeks, by March 21. Although CISA’s focus remains on alerting federal agencies, private organizations globally are encouraged to prioritize patching to thwart ongoing attacks.

Exploitation Since August, Check Point, an American-Israeli cybersecurity company, has provided additional information about the flaw and revealed that Raspberry Robin malware has been using CVE-2023-29360 since August 2023. According to Check Point, Raspberry Robin, a worm-capable malware discovered in September 2021, primarily spreads via USB drives and has been associated with cybercriminal groups such as EvilCorp and the Clop ransomware gang.

Microsoft disclosed in July 2022 that Raspberry Robin was detected on the networks of numerous organizations across various sectors. The malware has continually evolved, employing new delivery tactics and features, including the deployment of fake payloads to mislead researchers. The rapid exploitation of CVE-2023-29360 underscores the sophistication of cyber threats and the imperative for swift mitigation measures. Both government entities and private organizations must remain vigilant and proactive in addressing such vulnerabilities to safeguard against malicious attacks.

To delve deeper into this topic, please read the full article in Mspoweruser.