Cybersecurity and US infrastructure security agency (CISA) issued an order to agencies of the Federal Executive Branch of the Civil Directorate of the United States (FCEB) to strengthen the protection of their Windows systems from a critical vulnerability in the Microsoft Streaming service, which is actively being exploited in hacker attacks.
The vulnerability, designated as CVE-2023-29360 and rated 8.4 points on the CVSS scale, is associated with an unreliable pointer dereference, allowing attackers with local access to gain system privileges without requiring user interaction. The attack is categorized as low complexity.
Discovered last year in the Microsoft Streaming proxy service (MSKSSRV.Sys), the vulnerability was promptly reported to Microsoft through the ZDI initiative from Trend Micro. The detection credit goes to Thomas Imbert from Synactiv.
Microsoft released a patch to address the vulnerability in June 2023 as part of the Patch Tuesday update. Despite this, GitHub published exploit code on September 24, three months later.
While the vulnerability has been patched in current software versions, not all government departments and organizations using Microsoft Steaming have updated their systems during this period.
CISA has not disclosed details about attacks using this vulnerability but confirms no evidence of its use in extortion attacks. The agency has added the vulnerability to its catalog of well-known exploited vulnerabilities (KEV), emphasizing the high risk for federal structures and urging immediate remediation as per the Bod 22-01 directive.
Federal agencies must address the vulnerability in their Windows systems within three weeks, by March 21. Private organizations worldwide are also encouraged to promptly update their software to prevent potential attacks.
Check Point, a cybersecurity specialist, recently revealed that the CVE-2023-29360 vulnerability has been exploited by the malicious Raspberry Robin since August 2023.
Raspberry Robin is a worm that was first identified in September 2021 and spreads through USB drives. Although the creators are unknown, the worm is linked to cybercriminal groups like Evilcorp and Clop gang, known for extortion activities.
In July 2022, Microsoft identified malicious activity by Raspberry Robin in networks of numerous organizations across industries. Since then, the worm has evolved, adopting new delivery methods and functionality