Detect CVE-2023-28252 & CVE-2023-21554 Exploitation Attempts: Windows Zero-Day Actively Used in Ransomware Attacks and a Critical RCE Flaw

[post-views]
April 12, 2023 · 4 min read
Detect CVE-2023-28252 & CVE-2023-21554 Exploitation Attempts: Windows Zero-Day Actively Used in Ransomware Attacks and a Critical RCE Flaw

With a growing number of zero-day flaws affecting widely used software products, proactive detection of vulnerability exploitation has been among the most prevalent security use cases since 2021. 

Microsoft has recently issued a series of security updates relevant to critical flaws affecting its products, including a patch for a zero-day actively exploited in the wild and tracked as the CVE-2023-28252 vulnerability. The latter is a privilege escalation vulnerability in the Windows Common Log File System (CLFS) Driver, with a CVSS score reaching 7.8.

Another security bug that arrests the attention of cyber defenders is an RCE vulnerability in the Microsoft Message Queuing (MSMQ) service tracked as CVE-2023-21554 and possessing a CVSS score of 9.8.

In view of active vulnerability exploitation, on April 11, 2023, CISA issued an alert notifying industry peers of adding the CVE-2023-28252 Windows zero-day to its catalog of Known Exploited Vulnerabilities to raise cybersecurity awareness. 

CVE-2023-28252 & CVE-2023-21554 Detection

In view of Microsoft addressing zero-day vulnerabilities in its flagship products for the second month in a row, security practitioners require a reliable source of detection content to proactively identify and secure their organizational infrastructure.

SOC Prime’s Detection as Code Platforms offers a batch of curated Sigma rules aimed at CVE-2023-28252 and CVE-2023-21554 exploit detection. Drill down to detections accompanied with CTI links, MITRE ATT&CK® references, and other relevant metadata by following the links below.

Sigma Rule to Detect CVE-2023-28252 Exploitation Patterns

The rule is compatible with 21 SIEM, EDR, and XDR platforms and is aligned with the MITRE ATT&CK framework v12, addressing the Initial Access with Exploit Public-Facing Application (T1190) as the corresponding technique. 

Sigma Rules to Detect CVE-2023-21554 Exploitation Attempts

The rules support 20+ SIEM, EDR, and XDR language formats and address the Initial Access and Lateral Movement tactics, with Exploit Public-Facing Application (T1190) and Exploitation of Remote Services (T1210) as corresponding techniques. 

By clicking the Explore Detections button, organizations can gain instant access to even more detection algorithms aimed to help identify the malicious behavior linked to the exploitation of trending vulnerabilities.

Explore Detections

CVE-2023-21554 and CVE-2023-28252 Analysis 

CISA has recently issued a new alert informing cyber defenders of the escalating risks related to the exploitation of a known Windows Common Log File System CVE-2023-28252 vulnerability leveraged in the ransomware attacks and posing a potential threat to federal enterprises. This actively exploited zero-day, which is leveraged by threat actors to escalate privileges and spread Nokoyawa ransomware payloads, has been recently patched by Microsoft. CVE-2023-28252 has been assigned a CVSSv3 score of 7.8.

Another recently uncovered and patched vulnerability in Microsoft’s April 2023 Security Updates, tracked as CVE-2023-21554 with a CVSS score of 9.8, has been called QueueJumper by Check Point cybersecurity researchers. This security flaw is a critical RCE vulnerability in the MSMQ service, which allows unauthorized users to remotely execute arbitrary code in the Windows service process mqsvc.exe. Adversaries can gain control of the process by abusing the TCP port 1801 through vulnerability exploitation.

As potential mitigation measures, cyber defenders recommend promptly installing Microsoft’s official patches for CVE-2023-28252 and CVE-2023-21554. In addition, customers leveraging the potentially impacted Microsoft products should check for the availability of the MSMQ service for Windows servers and clients and potentially disable it to reduce unnecessary attack surfaces. 

Rely on SOC Prime to be fully equipped with detection content for any exploitable CVE and any TTP used in cyber attacks. Gain access to 800+ rules for emerging and established vulnerabilities to instantly identify malicious behavior and timely remediate the threats. Get 140+ Sigma rules for free or reach the entire list of relevant detection algorithms by choosing the On Demand subscription tailored to your security needs at https://my.socprime.com/pricing/.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts