Sources

https://msrc.microsoft.com/update-guide/releaseNote/2023-Apr

Risques

Microsoft’s April 2023 Patch Tuesday includes 7 critical and 90 important vulnerabilities for a wide range of Microsoft products and technologies. Microsoft reported one zero-day vulnerability that is actively exploited in the wild: CVE-2023-28252 affecting the Windows Common Log File System (CLFS).

Mandiant and Webin Lab discovered CVE-2023-28252. Threat actors can leverage CVE-2023-28252 during low-complexity attacks if local access is already achieved. Successful exploitation requires no user interaction and grants the threat actor SYSTEM privileges. Kaspersky observed Nokoyawa ransomware operators leveraging CVE-2023-28252. The Nokoyawa ransomware group is notable for its use of many similar but unique Common Log File System (CLFS) driver exploits.

Targeting CLFS to elevate privileges as part of post-compromise activity is a successful TTP for threat actors, there is a significant increase in observed activity during security incidents for the last two years.

Patching 0-day vulnerabilities from Microsoft Patch Tuesday should be prioritised, there have been at least 19 in-the-wild zero-day attacks which are observed in about one-third of all observed exploitation in 2023.

Microsoft also patched 2 critical CVEs affecting Microsoft's Message Queuing (MSMQ) service.

CVE-2023-21554 has been categorised by Microsoft as "exploitation more likely." This vulnerability can only be exploited when the Windows message queuing service is enabled. In that situation, TCP port 1801 will be listening on the host. A threat actor can successfully exploit CVE-2023-21554, after sending a specially crafted MSMQ packet to a targeted server.

Microsoft fixed another critical Remote Code Execution vulnerability affecting MSMQ, tracked as CVE-2023-28250.

CVE-2023-21554 & 2023-28250 are currently not exploited in the wild. Bharat Jogi (Director of the Vulnerability- and Threat Research at Qualys), expressed his concerns that CVE-2023-21554 & CVE-2023-28250 have a CVSSv3 base score of 9.8/10 and are potentially wormable.

Microsoft also announced that Exchange Server 2013 has reached its end of life. Microsoft’s Exchange Server 2013 will no longer receive security updates and must be upgraded as soon as possible.

Organisations that are still using Microsoft Exchange 2013 are advised to follow the guidance to decommission Microsoft Exchange Server 2013: https://techcommunity.microsoft.com/t5/exchange-team-blog/decommissioning-exchange-server-2013/ba-p/3613793.

Microsoft Exchange servers were a major target for at least 10 ransomware groups in 2022 and are also often targeted by Nation State actors such as the Hafnium group, Turla, and many other APT groups.

The Centre for Cyber security Belgium has launched multiple spear warning campaigns and advised Belgian organisations frequently to patch their servers.

Actions recommandées

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to install updates for vulnerable systems with the highest priority, after thorough testing.

Références

https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2023-patch-tuesday-fixes-2-zero-days-83-flaws/
https://www.tenable.com/blog/microsofts-april-2023-patch-tuesday-addresses-97-cves-cve-2023-28252
https://www.getinfosec.news/30886319/nokoyawa-ransomware-attacks-with-windows-zero-day#/
https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-2013-reaches-end-of-support-next-month/ba-p/3762083