VULNERA Pulse

Microsoft — Streaming Service

CVE-2023-29360 / Added: Feb. 29, 2024

HIGH CVSS 8.40 EPSS Score 0.41 EPSS Percentile 73.30

Microsoft Streaming Service contains an untrusted pointer dereference vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.

Headlines

• March 1, 2024 - CISA warns of Microsoft Streaming bug exploited in malware attacks
• March 1, 2024 - CISA adds Microsoft Streaming Service bug to its Known Exploited Vulnerabilities catalog
• March 1, 2024 - CISA Adds Microsoft Streaming Service CVE-2023-29360 Flaw to KEV Catalog! PoC Published
• Feb. 12, 2024 - Raspberry Robin Jumps on 1-Day Bugs to Nest Deep in Windows Networks
• Feb. 11, 2024 - Raspberry Robin spotted using two new 1-day LPE exploits
• Feb. 10, 2024 - Raspberry Robin malware evolves with early access to Windows exploits
• Feb. 9, 2024 - Raspberry Robin Malware Upgrades with Discord Spread and New Exploits
• Feb. 8, 2024 - Raspberry Robin devs are buying exploits for faster attacks
• Oct. 10, 2023 - Critically close to zero (day): Exploiting Microsoft Kernel streaming service

Back to top ↑

CVE-2024-1709

CRITICAL CVSS 10.00 EPSS Score 93.46 EPSS Percentile 99.02

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Feb. 21, 2024

ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

Vendor Impacted: Connectwise

Product Impacted: Screenconnect

Quotes

• Thousands of healthcare providers, insurance providers, pharmacies, etc
• A local government, including systems likely linked to their 911 Systems
• ALPHV Blackcat affiliates have been observed primarily targeting the healthcare sector
• We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue
• Mandiant has identified mass exploitation of these vulnerabilities by various threat actors. Many of them will deploy ransomware and conduct multifaceted extortion
• Following our detailed examination of various threat actors exploiting vulnerabilities in ConnectWise ScreenConnect, we emphasize the urgency of updating to the latest version of the software
• Leveraging these vulnerabilities, adversaries can orchestrate an unauthorized elevation of privileges to gain administrative oversight of the ScreenConnect environment absent legitimate authentication credentials. In addition, the path traversal flaw permits unauthorized file access or modification

Headlines

• Feb. 29, 2024 - ConnectWise ScreenConnect Vulnerabilities: What CIOs Need to Know
• Feb. 28, 2024 - Ransomware gang claims they stole 6TB of Change Healthcare data
• Feb. 27, 2024 - FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks
• Feb. 27, 2024 - Black Basta and Bl00dy ransomware gangs exploit recent ConnectWise ScreenConnect bugs
• Feb. 27, 2024 - Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
• Feb. 27, 2024 - SlashAndGrab: The ConnectWise ScreenConnect Vulnerability Explained | Huntress
• Feb. 27, 2024 -
• Feb. 27, 2024 - UnitedHealth subsidiary Optum hack linked to BlackCat ransomware
• Feb. 26, 2024 - ScreenConnect flaws exploited to deliver all kinds of malware (CVE-2024-1709, CVE-2024-1708)
• Feb. 25, 2024 - ScreenConnect Vulnerabilities Exploited to Deploy Malware
• Feb. 25, 2024 - newsletter Round 460 by Pierluigi Paganini
• Feb. 25, 2024 - Week in review: 10 cybersecurity startups to watch, admins urged to remove VMware vSphere plugin

CVE-2023-3824

CRITICAL CVSS 9.80 EPSS Score 0.08 EPSS Percentile 33.65

Actively Exploited Remote Code Execution Used In Ransomware

Published: Aug. 11, 2023

In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. 

Vendors Impacted: Fedoraproject, Debian, Php

Products Impacted: Debian Linux, Php, Fedora

Quotes

• Our work to target and disrupt them continues
• Because for 5 years of swimming in money I became very lazy
• Very simple, that I need to attack the .gov sector more often and more, it is after such attacks that the FBI will be forced to show me weaknesses and vulnerabilities and make me stronger. By attacking the .gov sector you can know exactly if the FBI has the ability to attack us or not
• I realize that it may not have been this CVE, but something else like 0-day for PHP, but I can't be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims' admin and chat panel servers and the blog server were accessed
• And froze 200 cryptocurrency accounts linked to LockBit and its affiliates. LockBit’s bespoke data exfiltration tool, known as Stealbit, was also seized. Security researchers Vx-underground also claimed that at least 22 Tor sites associated with LockBit had been seized and/or taken down by law enforcement. In addition, two LockBit actors have been arrested in Poland and Ukraine at the request of the French judicial authorities. Three international arrest warrants and five indictments have also been issued by the French and US judicial authorities. 🔒 Operation Cronos 🔒- 34 servers seized.- 2 LockBit actors arrested.- 3 arrest warrants issued.- 5 indictments issued.- 200 cryptocurrency accounts frozen.- 14,000

Headlines

• Feb. 26, 2024 - LockBit's Leak Site Reemerges, a Week After 'Complete Compromise'
• Feb. 26, 2024 - LockBit Ransomware Takedown: What You Need to Know about Operation Cro
• Feb. 26, 2024 - LockBit Ransomware Group Resurfaces After Law Enforcement Takedown
• Feb. 26, 2024 - LockBit is back and threatens to target more government organizations
• Feb. 25, 2024 - LockBit ransomware returns, restores servers after police disruption

CVE-2024-21887

CRITICAL CVSS 9.10 EPSS Score 97.30 EPSS Percentile 99.86

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Vendor Impacted: Ivanti

Products Impacted: Policy Secure, Connect Secure, Connect Secure And Policy Secure

Quotes

• Unable to read file with path: $file
• UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the U.S. and [Asia-Pacific] regions
• Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code
• During multiple incident response engagements associated with this activity, CISA identified that Ivanti's internal and previous external ICT failed to detect compromise
• Since initial disclosure of these vulnerabilities, CISA and our partners have urgently worked to provide actionable guidance and assist impacted victims. This includes an emergency directive to remove and rebuild vulnerable Ivanti devices to reduce risk to federal systems upon which Americans depend
• The advisory describes cyber threat actor exploitation of multiple previously identified Connect Secure and Policy Secure vulnerabilities—namely CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893—which threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges
• The internal ICT is configured to run in two-hour intervals by default and is meant to be run in conjunction with continuous monitoring. Any malicious file system modifications made and reverted between the two-hour scan intervals would remain undetected by the ICT. When the activation and deactivation routines are performed tactfully in quick succession, it can minimize the risk of ICT detection by timing the activation routine to coincide precisely with the intended use of the BUSHWALK webshell

Headlines

• March 1, 2024 - Five Eyes alliance warns of attacks exploiting known Ivanti Gateway flaws
• Feb. 29, 2024 - Chinese APT Developing Exploits to Defeat Patched Ivanti Users
• Feb. 29, 2024 - CISA warns against using hacked Ivanti devices even after factory resets
• Feb. 29, 2024 - CISA cautions against using hacked Ivanti VPN gateways even after factory resets
• Feb. 29, 2024 - Here Are the Google and Microsoft Security Updates You Need Right Now
• Feb. 29, 2024 - CISA and Partners Release Advisory on Threat Actors Exploiting Ivanti Connect Secure and Policy Secure Gateways Vulnerabilities | CISA
• Feb. 29, 2024 - CISA, U.S. and International Partners Warn of Ongoing Exploitation of Multiple Ivanti Vulnerabilities | CISA
• Feb. 29, 2024 - Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware
• Feb. 27, 2024 - Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts | Mandiant

CVE-2024-1708

HIGH CVSS 8.40 EPSS Score 0.05 EPSS Percentile 16.00

Risk Context N/A

Published: Feb. 21, 2024

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

Vendor Impacted: Connectwise

Product Impacted: Screenconnect

Quotes

• A local government, including systems likely linked to their 911 Systems
• Mandiant has identified mass exploitation of these vulnerabilities by various threat actors. Many of them will deploy ransomware and conduct multifaceted extortion
• Following our detailed examination of various threat actors exploiting vulnerabilities in ConnectWise ScreenConnect, we emphasize the urgency of updating to the latest version of the software
• Leveraging these vulnerabilities, adversaries can orchestrate an unauthorized elevation of privileges to gain administrative oversight of the ScreenConnect environment absent legitimate authentication credentials. In addition, the path traversal flaw permits unauthorized file access or modification

Headlines

• Feb. 29, 2024 - ConnectWise ScreenConnect Vulnerabilities: What CIOs Need to Know
• Feb. 27, 2024 - Black Basta and Bl00dy ransomware gangs exploit recent ConnectWise ScreenConnect bugs
• Feb. 27, 2024 - Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
• Feb. 27, 2024 - SlashAndGrab: The ConnectWise ScreenConnect Vulnerability Explained | Huntress
• Feb. 27, 2024 -
• Feb. 26, 2024 - ScreenConnect flaws exploited to deliver all kinds of malware (CVE-2024-1709, CVE-2024-1708)
• Feb. 25, 2024 - ScreenConnect Vulnerabilities Exploited to Deploy Malware
• Feb. 25, 2024 - newsletter Round 460 by Pierluigi Paganini
• Feb. 25, 2024 - Week in review: 10 cybersecurity startups to watch, admins urged to remove VMware vSphere plugin

CVE-2023-29360

HIGH CVSS 8.40 EPSS Score 0.41 EPSS Percentile 73.30

CISA Known Exploited Actively Exploited Public Exploits Available

Published: June 14, 2023

Microsoft Streaming Service Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 11 22h2, Windows Server 2019, Windows Server 2022, Windows 11 21h2, Windows 10 21h2, Windows Server 2016, Windows 10 1809, Windows 10 22h2, Streaming Service, Windows 10 1607

Quotes

• Frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise

Headlines

• March 1, 2024 - CISA warns of Microsoft Streaming bug exploited in malware attacks
• March 1, 2024 - CISA adds Microsoft Streaming Service bug to its Known Exploited Vulnerabilities catalog
• March 1, 2024 - CISA Adds Microsoft Streaming Service CVE-2023-29360 Flaw to KEV Catalog! PoC Published

CVE-2024-22024

HIGH CVSS 8.30 EPSS Score 0.59 EPSS Percentile 77.80

Actively Exploited Remote Code Execution Public Exploits Available

Published: Feb. 13, 2024

An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Vendor Impacted: Ivanti

Products Impacted: Policy Secure, Connect Secure, Zero Trust Access

Quotes

• Unable to read file with path: $file
• Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code
• During multiple incident response engagements associated with this activity, CISA identified that Ivanti's internal and previous external ICT failed to detect compromise

Headlines

• Feb. 29, 2024 - CISA warns against using hacked Ivanti devices even after factory resets
• Feb. 29, 2024 - CISA cautions against using hacked Ivanti VPN gateways even after factory resets
• Feb. 29, 2024 - Here Are the Google and Microsoft Security Updates You Need Right Now
• Feb. 29, 2024 - CISA and Partners Release Advisory on Threat Actors Exploiting Ivanti Connect Secure and Policy Secure Gateways Vulnerabilities | CISA
• Feb. 27, 2024 - Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts | Mandiant

CVE-2024-21893

HIGH CVSS 8.20 EPSS Score 96.25 EPSS Percentile 99.48

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 31, 2024

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Vendor Impacted: Ivanti

Products Impacted: Neurons For Zero-Trust Access, Connect Secure, Policy Secure, Connect Secure, Policy Secure, And Neurons

Quotes

• Unable to read file with path: $file
• A nuanced understanding of the appliance
• UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the U.S. and [Asia-Pacific] regions
• Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code
• During multiple incident response engagements associated with this activity, CISA identified that Ivanti's internal and previous external ICT failed to detect compromise
• Since initial disclosure of these vulnerabilities, CISA and our partners have urgently worked to provide actionable guidance and assist impacted victims. This includes an emergency directive to remove and rebuild vulnerable Ivanti devices to reduce risk to federal systems upon which Americans depend
• The advisory describes cyber threat actor exploitation of multiple previously identified Connect Secure and Policy Secure vulnerabilities—namely CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893—which threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges
• The internal ICT is configured to run in two-hour intervals by default and is meant to be run in conjunction with continuous monitoring. Any malicious file system modifications made and reverted between the two-hour scan intervals would remain undetected by the ICT. When the activation and deactivation routines are performed tactfully in quick succession, it can minimize the risk of ICT detection by timing the activation routine to coincide precisely with the intended use of the BUSHWALK webshell

Headlines

• March 1, 2024 - Five Eyes alliance warns of attacks exploiting known Ivanti Gateway flaws
• Feb. 29, 2024 - Chinese APT Developing Exploits to Defeat Patched Ivanti Users
• Feb. 29, 2024 - CISA cautions against using hacked Ivanti VPN gateways even after factory resets
• Feb. 29, 2024 - CISA warns against using hacked Ivanti devices even after factory resets
• Feb. 29, 2024 - Here Are the Google and Microsoft Security Updates You Need Right Now
• Feb. 29, 2024 - CISA, U.S. and International Partners Warn of Ongoing Exploitation of Multiple Ivanti Vulnerabilities | CISA
• Feb. 29, 2024 - CISA and Partners Release Advisory on Threat Actors Exploiting Ivanti Connect Secure and Policy Secure Gateways Vulnerabilities | CISA
• Feb. 29, 2024 - Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware
• Feb. 28, 2024 - State-sponsored hackers know enterprise VPN appliances inside out
• Feb. 27, 2024 - Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts | Mandiant

CVE-2023-46805

HIGH CVSS 8.20 EPSS Score 96.27 EPSS Percentile 99.49

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Vendor Impacted: Ivanti

Products Impacted: Policy Secure, Connect Secure, Connect Secure And Policy Secure

Quotes

• Unable to read file with path: $file
• Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code
• During multiple incident response engagements associated with this activity, CISA identified that Ivanti's internal and previous external ICT failed to detect compromise
• Since initial disclosure of these vulnerabilities, CISA and our partners have urgently worked to provide actionable guidance and assist impacted victims. This includes an emergency directive to remove and rebuild vulnerable Ivanti devices to reduce risk to federal systems upon which Americans depend
• The advisory describes cyber threat actor exploitation of multiple previously identified Connect Secure and Policy Secure vulnerabilities—namely CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893—which threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges

Headlines

• March 1, 2024 - Five Eyes alliance warns of attacks exploiting known Ivanti Gateway flaws
• Feb. 29, 2024 - CISA cautions against using hacked Ivanti VPN gateways even after factory resets
• Feb. 29, 2024 - CISA warns against using hacked Ivanti devices even after factory resets
• Feb. 29, 2024 - Here Are the Google and Microsoft Security Updates You Need Right Now
• Feb. 29, 2024 - CISA and Partners Release Advisory on Threat Actors Exploiting Ivanti Connect Secure and Policy Secure Gateways Vulnerabilities | CISA
• Feb. 29, 2024 - CISA, U.S. and International Partners Warn of Ongoing Exploitation of Multiple Ivanti Vulnerabilities | CISA
• Feb. 27, 2024 - Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts | Mandiant

CVE-2024-21338

HIGH CVSS 7.80 EPSS Score 0.05 EPSS Percentile 17.93

Actively Exploited Remote Code Execution

Published: Feb. 13, 2024

Windows Kernel Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 11 22h2, Windows Server 2019, Windows Server 2022, Windows 11 21h2, Windows 10 21h2, Windows 11 23h2, Windows 10 1809, Windows Server 2022 23h2, Windows 10 22h2

Quotes

• To exploit this vulnerability, an attacker would first have to log on to the system
• Though their [Lazarus Group's] signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected technical sophistication
• The holy grail of admin-to-kernel is going beyond BYOVD by exploiting a zero-day in a driver that’s known to be already installed on the target machine. To make the attack as universal as possible, the most obvious target here would be a built-in Windows driver that’s already a part of the operating system

Headlines

• March 1, 2024 - Microsoft Zero Day Used by Lazarus in Rootkit Attack
• Feb. 29, 2024 - Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks
• Feb. 29, 2024 - Lazarus APT exploited 0-day in Win driver to gain kernel privileges
• Feb. 29, 2024 - Zero-Day Alert (CVE-2024-21338): Lazarus Group Exploits Windows Kernel Vulnerability
• Feb. 28, 2024 - Lazarus hackers exploited Windows zero-day to gain Kernel privileges