CISA Issues Alert on Microsoft Streaming Bug Exploited in Malware Attacks

March 1, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an order to U.S. Federal Civilian Executive Branch (FCEB) agencies to fortify their Windows systems against a critical vulnerability in the Microsoft Streaming Service (MSKSSRV.SYS) that is currently being exploited in attacks. This vulnerability, known as CVE-2023-29360, is due to a weakness in untrusted pointer dereference that allows local attackers to obtain SYSTEM privileges. The attacks exploiting this vulnerability are of low complexity and do not necessitate user interaction.

Thomas Imbert from Synactiv discovered the CVE-2023-29360 flaw in the Microsoft Streaming Service Proxy (MSKSSRV.SYS) and reported it to Microsoft via Trend Micro's Zero Day Initiative. Microsoft released a patch for this bug during its June 2023 Patch Tuesday. A proof-of-concept exploit code was subsequently made available on GitHub on September 24.

While CISA did not share specific details about ongoing attacks, it confirmed that there was no evidence of this vulnerability being used in ransomware attacks. The agency also included this bug in its Known Exploited Vulnerabilities Catalog this week, cautioning that such security flaws are regularly exploited by cybercriminals and pose substantial risks to the federal enterprise.

As per the binding operational directive (BOD 22-01) issued in November 2021, federal agencies are required to patch their Windows systems against this security flaw by March 21. Although CISA's KEV catalog is primarily aimed at warning federal agencies about security vulnerabilities that need immediate attention, private organizations worldwide are also encouraged to prioritize patching this vulnerability to prevent ongoing attacks.

Check Point, an American-Israeli cybersecurity firm, provided additional information on this vulnerability last month, stating that the Raspberry Robin malware has been exploiting CVE-2023-29360 since August 2023. 'After looking at samples of Raspberry Robin prior to October, we found that it also used an exploit for CVE-2023-29360. This vulnerability was publicly disclosed in June and was used by Raspberry Robin in August,' Check Point reported.

Raspberry Robin is a malware with worm capabilities that emerged in September 2021 and primarily propagates via USB drives. Its creators remain unidentified, but it has been associated with several cybercriminal groups, including EvilCorp and the Clop ransomware gang. Microsoft reported in July 2022 that it had detected the Raspberry Robin malware on the networks of hundreds of organizations across several industry sectors. Since its detection, this worm has continued to evolve, adopting new distribution strategies and incorporating new features, such as deploying fake payloads to deceive researchers.

Related News

• Raspberry Robin Worm Incorporates Two New 1-Day LPE Exploits

Latest News

• Five Eyes Intelligence Alliance Issues Warning on Ivanti Gateway Vulnerabilities
• CISA Warns of Persistent Threats on Hacked Ivanti VPN Appliances Even After Factory Resets
• Cisco Fixes Serious Bugs in Data Center Operating Systems
• Chinese Cyber Espionage Clusters Exploit Ivanti VPN Vulnerabilities to Deploy New Malware
• BlackCat Ransomware Gang Alleges Theft of 6TB Data from Change Healthcare