Categories
Cybersecurity Advisories

CVE-2023-21554: Microsoft Patches Critical RCE Vulnerability in MSMQ Service

Microsoft has released a set of security updates to fix a total of 97 flaws impacting its software; 45 of which are RCE vulnerabilities. Researchers have discovered three vulnerabilities in the Microsoft Message Queuing service (MSMQ) and were patched in Microsoft’s Patch Tuesday update. The most severe flaw out of the three is CVE-2023-21554 (known as QueueJumper; CVSSv3 Score: 9.8 – Critical) which allows remote code execution after sending a single package through the TCP port 1801. 

According to Microsoft, MSMQ is a message infrastructure and development platform for creating distributed, loosely-coupled messaging applications for the Microsoft Windows operating system. Message Queuing applications can use the Message Queuing infrastructure to communicate across heterogeneous networks and with computers that may be offline. Message Queuing provides guaranteed message delivery, efficient routing, security, transaction support, and priority-based messaging. 

QueueJumper Vulnerability & Impact 

CVE-2023-21554 allows an attacker to execute code remotely and without authorization by reaching the TCP port 1801. A threat actor could gain control of the process through a single packet to the 1801/tcp port with the exploit. By doing this, it gives hackers control over mqsvc.exe. 

A full internet scan showed that more than 360,000 IPs have 1801/tcp open to the internet and are running the MSMQ service. This includes the number of hosts facing the internet and does not account for computers hosting the MSMQ service on internal networks. Some popular software relies on MSMQ, so when a user installs that software, the MSMQ service is enabled on Windows and may be done without the user’s knowledge. It is important to note that MSMQ is disabled by default in all operating systems. Full technical details will be released later this month. 

Mitigation 

  • All Windows admins are recommended to check their servers and clients to see if the MSMQ service is installed. You can check if there is a service running named ‘Message Queuing’, and TCP port 1801 is listening on the computer. If it is installed, double-check if you need it. Closing unnecessary attack surfaces is always a very good security practice. 
  • Users are recommended to install Microsoft’s official patch as soon as possible. If your business requires MSMQ but is unable to apply Microsoft’s patch right now, you may block the inbound connections for 1801/tcp from untrusted sources with Firewall rules (for example, blocking Internet connections to 1801/tcp for Internet-facing machines), as a workaround. 

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.  

Additionally, we are running a Nessus external scan on internet facing servers and will report if we find anything. 

As always, if we detect activity related to these exploits, we will alert you if warranted.  

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.    

Microsoft Customer Guidance 

CVE-2023-21554 – Security Update Guide – Microsoft Security Response Center 

Resources & Related Articles 

Categories
Cybersecurity Advisories

CVE-2023-28252: Windows Zero-Day Vulnerability Exploited in Nokoyawa Ransomware Attacks

Microsoft has patched an actively exploited zero-day vulnerability in the Windows Common Log File System (CLFS) that allows attackers to elevate privileges to SYSTEM on target machines and deploy Nokoyawa ransomware payloads. CISA added the flaw, tracked as CVE-2023-28252 (CVSSv3 score: 7.8 – High), to its KEV and orders FCEB agencies to secure their systems against it. The vulnerability affects all supported Windows server and client versions and can be exploited by local attackers in low-complexity attacks without user interaction.

Exploited with Nokoyawa ransomware

This zero-day was utilized by a sophisticated cybercrime group that carries out ransomware attacks. Security researchers have found that the gang has used other exploits targeting the CLFS driver since June 2022 with similar but unique characteristics that were likely developed by the same exploit author. Researchers have identified five different CLFS exploits used by the group in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries.

Nokoyawa ransomware surfaced in February 2022 as a strain that is capable of targeting 64-bit Windows-based systems in double extortion attacks. The threat actors would also steal sensitive files from compromised networks and threaten to leak them online unless a ransom is paid. Nokoyawa shares code with JSWorm, Karma, and Nemty ransomware, and has been rewritten in Rust. The CVE-2023-28252 zero-day was used to deploy the Nokoyawa ransomware, which has been developed from its early variants based on the JSWorm codebase.

Victimology

The vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.

Recommendation

Organizations are urged to apply the patch released by Microsoft for CVE-2023-28252 to protect their systems from potential attacks.

IOCS