Detect CVE-2023-28252 & CVE-2023-21554 Exploitation Attempts: Windows Zero-Day Actively Used in Ransomware Attacks and a Critical RCE Flaw
- russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) Attack Detection: Adversaries Apply an Aggressive Infection Approach Leveraging Three Malware Branches - 11.04.2024
- VenomRAT Detection: A New Multi-Stage Attack Using ScrubCrypt to Deploy the Final Payload with Malicious Plugins - 10.04.2024
- New Supply Chain Attack Detection: Hackers Apply Multiple Tactics to Target GitHub Developers Using a Fake Python Infrastructure - 27.03.2024
Table of contents:
With a growing number of zero-day flaws affecting widely used software products, proactive detection of vulnerability exploitation has been among the most prevalent security use cases since 2021.
Microsoft has recently issued a series of security updates relevant to critical flaws affecting its products, including a patch for a zero-day actively exploited in the wild and tracked as the CVE-2023-28252 vulnerability. The latter is a privilege escalation vulnerability in the Windows Common Log File System (CLFS) Driver, with a CVSS score reaching 7.8.
Another security bug that arrests the attention of cyber defenders is an RCE vulnerability in the Microsoft Message Queuing (MSMQ) service tracked as CVE-2023-21554 and possessing a CVSS score of 9.8.
In view of active vulnerability exploitation, on April 11, 2023, CISA issued an alert notifying industry peers of adding the CVE-2023-28252 Windows zero-day to its catalog of Known Exploited Vulnerabilities to raise cybersecurity awareness.
CVE-2023-28252 & CVE-2023-21554 Detection
In view of Microsoft addressing zero-day vulnerabilities in its flagship products for the second month in a row, security practitioners require a reliable source of detection content to proactively identify and secure their organizational infrastructure.
SOC Prime’s Detection as Code Platforms offers a batch of curated Sigma rules aimed at CVE-2023-28252 and CVE-2023-21554 exploit detection. Drill down to detections accompanied with CTI links, MITRE ATT&CKĀ® references, and other relevant metadata by following the links below.
Sigma Rule to Detect CVE-2023-28252 Exploitation Patterns
The rule is compatible with 21 SIEM, EDR, and XDR platforms and is aligned with the MITRE ATT&CK framework v12, addressing the Initial Access with Exploit Public-Facing Application (T1190) as the corresponding technique.
Sigma Rules to Detect CVE-2023-21554 Exploitation Attempts
The rules support 20+ SIEM, EDR, and XDR language formats and address the Initial Access and Lateral Movement tactics, with Exploit Public-Facing Application (T1190) and Exploitation of Remote Services (T1210) as corresponding techniques.
By clicking the Explore Detections button, organizations can gain instant access to even more detection algorithms aimed to help identify the malicious behavior linked to the exploitation of trending vulnerabilities.
CVE-2023-21554 and CVE-2023-28252 Analysis
CISA has recently issued a new alert informing cyber defenders of the escalating risks related to the exploitation of a known Windows Common Log File System CVE-2023-28252 vulnerability leveraged in the ransomware attacks and posing a potential threat to federal enterprises. This actively exploited zero-day, which is leveraged by threat actors to escalate privileges and spread Nokoyawa ransomware payloads, has been recently patched by Microsoft. CVE-2023-28252 has been assigned a CVSSv3 score of 7.8.
Another recently uncovered and patched vulnerability in Microsoftās April 2023 Security Updates, tracked as CVE-2023-21554 with a CVSS score of 9.8, has been called QueueJumper by Check Point cybersecurity researchers. This security flaw is a critical RCE vulnerability in the MSMQ service, which allows unauthorized users to remotely execute arbitrary code in the Windows service process mqsvc.exe. Adversaries can gain control of the process by abusing the TCP port 1801 through vulnerability exploitation.
As potential mitigation measures, cyber defenders recommend promptly installing Microsoftās official patches for CVE-2023-28252 and CVE-2023-21554. In addition, customers leveraging the potentially impacted Microsoft products should check for the availability of the MSMQ service for Windows servers and clients and potentially disable it to reduce unnecessary attack surfaces.
Rely on SOC Prime to be fully equipped with detection content for any exploitable CVE and any TTP used in cyber attacks. Gain access to 800+ rules for emerging and established vulnerabilities to instantly identify malicious behavior and timely remediate the threats. Get 140+ Sigma rules for free or reach the entire list of relevant detection algorithms by choosing the On Demand subscription tailored to your security needs at https://my.socprime.com/pricing/.
