Microsoft fixed zero-day vulnerability that malicious actors were exploiting to bypass its anti-malware service windows smart screen based on cloud and deliver ransomware payloads Magniber without any warning.
“CVE-2023-23397 is a critical EOP Vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required,” Microsoft explained.
The vulnerability exists due to the application leaks the Net-NTLMv2 hash. A remote attacker can send a specially crafted email to the victim and obtain the Net-NTLMv2 hash of the Windows account. The victim does not need to open the email, as the vulnerability is triggered automatically when it is retrieved and processed by the email server, e.g. before the email is viewed in the preview pane. The obtained NTLMv2 hash can be used in the NTLM Relay attack against another service to authenticate as the user.
The second zero-day flaw, tracked as CVE-2023-24880, is a SmartScreen security feature bypass in Microsoft Windows, which could be exploited to bypass the Mark of the Web (MOTW) defenses.
According to Google’s TAG team safety issue, this flaw has been exploited by the Magniber ransomware operation. Google TAG found that when one is fixed there is an inherent tension between fixing the immediate problem and addressing its root cause. Since the main source of its security bypass SmartScreen was not patched, attackers were able to quickly find an alternative version of this bug.
Leave A Comment