Free Trial
|
Login
Free Trial
Login
Platform

Platform

I want to

report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases

Use Cases

Frameworks

Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
webinar
ON-DEMAND Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Research

RESEARCH

LEARNING

report (1)
REPORT 2024 Gartner® Peer Insights™ Voice of the Customer for Breach and Attack Simulation (BAS) Tools
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources

RESOURCES

LEARNING

Group
WHITEPAPER Double Your Threat Blocking in 90 Days
webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Company

COMPANY

PARTNERS

webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

CVE-2023-24880: Vulnerability Exploited by Magniber Ransomware Group

Sıla Özeren | March 17, 2023

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On March 14, 2023, Microsoft MSRC published a blog post about a security bypass zero-day vulnerability, CVE-2023-24880, affecting newer versions like Windows 10, 11 and Server 16 and later releases. [1]. This vulnerability is characterized as a Windows SmartScreen security bypass issue, allowing attackers to bypass the Mark-of-the-Web designation featured in Windows' endpoint protection offerings.

Google TAG researchers have linked this vulnerability to the delivery of Magniber ransomware [2]. Fortunately, Picus Labs have added attack simulations for Magniber ransomware to its Threat Library. In this blog, we explain how threat actors exploit the CVE-2023-24880 vulnerability to deliver Magniber ransomware.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

Magniber Ransomware

First detected in late 2017, the Magniber ransomware targeted South Korean users through malvertising attacks using the Magnitude Exploit Kit [3]. Since then, it has continued to evolve, adopting new obfuscation strategies and evasion techniques. In April 2022, the ransomware drew attention when it masqueraded as a Windows update file, luring victims into installing it [4]. 

Later, in September 2022, threat actors started exploiting the Windows’ SmartScreen Bypass vulnerability, CVE-2022-44698, through JavaScript for the deployment of the malware [5]. Following this, Microsoft released a patch for this vulnerability in December 2022. 

As of March 2023, Magniber ransomware actors are exploiting a zero-day vulnerability, CVE-2023-24880, that renders the patch for the previous SmartScreen Bypass vulnerability ineffective in deploying the malware onto target systems.

Windows SmartScreen CVE-2022-44698 Vulnerability

The CVE-2023-24880 is not a stand alone vulnerability, but rather caused by a previous SmartScreen Bypass CVE-2022-44698 [6] vulnerability in smartscreen.exe. 

The vulnerability lies in the shdocvw.dll module's DoSafeOpenPromptForShellExec function, which, by default, does not display a security warning. However, if the SmartScreen request somehow returns an error, the function in speech proceeds to execute the file without any warning to the user. 

The error occurs while parsing the file's signature in the smartscreen.exe's windows::security::signature_info::retrieve function. In September 2022, adversaries managed to exploit the CVE-2022-44698 vulnerability to deploy Magniber ransomware [5] using a JavaScript file with a malformed signature forcing the SmartScreen request to return an error, bypassing the security warning. 

SIGNATURE_INFO * windows::security::signature_info::retrieve(SIGNATURE_INFO *signature_info, HANDLE handle) {
HANDLE wvt_state_data;
CERT_CONTEXT *cert_context;
CRYPT_PROVIDER_DATA *crypt_provider_data;

. . .
WTGetSignatureInfo(
   path:: from_file(handle, io).c_str(), 

   handle,
   SIF_AUTHENTICODE_SIGNED,
   §si_buffer->signature_info,
   §cert_context, Swvt_state_data);

. . .
if (wvt_state_data)
   crypt_provider_data = WHelperProvDatafromStateData(wvt_state_data);
else
   crypt_provider_data = NULL;
if (crypt_provider_data &§ crypt_provider_data->hMsg) { // The JScript's Authenticode signatures lead to non-NULL values for these.
   if (!cert_context) {                                 // cert_context is NULL.
       THROW_HR (E_INVALIDARG) ;                        // An error gets raised.
   }


   windows::security::authenticode_information::create<enum SIGNATURE_STATE>( // This will be relevant for CVE-2023-24880.
      §authenticode_information,
      §cert_context, 

      crypt_provider_data,

      . . .);

    . . .
   } else {

      . . .

   }

}

Example 1: Pseudocode of the windows::security::signature_info::retrieve [2].

The bypass technique was later adopted by other threat actors and still actively used to spread Qakbot malware in 2023 [7]. 

CVE-2023-24880: Windows SmartScreen Security Feature Bypass Vulnerability

Even though Microsoft patched this vulnerability in December 2022, and they did not raise an error in this specific case of CVE-2022-44698, it does not address other instances where THROW_HR is called due to different errors within smartscreen.exe.

if (crypt_provider_data && crypt_provider_data->hMsg) {
    if (!cert_context) {
        if     (wil::details::FeatureImpl<__WilfeatureTraits_Feature_MSRC75366_Servicing_Malformed_Authenticode_Check>::__private_IsEnabled()){

          . . .                      // If patch is enabled, do not raise an error for this specific case.
        } else {
             THROW_HR(E_INVALIDARG) ; // Else, raise an error.

        }

    }

Figure 2. Pseudocode of the patch of the CVE-2022-44698 vulnerability [2].

Each instance presents a potential opportunity for attackers to exploit the system by returning an error to shdocvw.dll, which would then fail to display a security warning. Attackers have managed to bypass security by using signatures that lead to a valid cert_context, rendering the CVE-2022-44698 patch ineffective. 

This vulnerability impacts newer Windows versions, specifically Windows 10 and 11, in addition to Server 2016 and later releases.

How Picus Helps Simulate Magniber Ransomware Attacks?

We also strongly suggest simulating Magniber ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware that might exploit the CVE-2023-24880 vulnerability within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Magniber ransomware

Threat ID

Threat Name

Attack Module

45851

Magniber Ransomware Email Threat

E-mail Infiltration

79430

Magniber Ransomware Download Threat

Network Infiltration

Moreover, Picus Threat Library contains 300+ threats containing 2000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email 7800+, and data exfiltration 200+ threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Magniber ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Magniber ransomware:

Security Control

Signature ID

Signature Name

Fortigate AV

10108487

JS/Kryptik.CHH!tr

Forcepoint NGFW

  

File_Malware-Blocked

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.

References

[1] “Security Update Guide - Microsoft Security Response Center.” [Online]. Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880. [Accessed: Mar. 17, 2023]

[2] B. Sevens, “Magniber ransomware actors used a variant of Microsoft SmartScreen bypass,” Google, Mar. 14, 2023. [Online]. Available: https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/. [Accessed: Mar. 17, 2023]

[3] Chi_Shanger, “Malware Analysis - Magniber Ransomware,” TXOne Networks, Feb. 03, 2023. [Online]. Available: https://www.txone.com/blog/malware-analysis-magniber-ransomware/. [Accessed: Mar. 17, 2023]

[4] L. Abrams, “Fake Windows 10 updates infect you with Magniber ransomware,” BleepingComputer, Apr. 30, 2022. [Online]. Available: https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/. [Accessed: Mar. 17, 2023]

[5] P. Schläpfer, “Magniber Ransomware Targets Users with Fake Software Updates,” HP Wolf Security, Oct. 13, 2022. [Online]. Available: https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/. [Accessed: Mar. 17, 2023]

[6] M. Kolsek, “0patch Blog.” [Online]. Available: https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-motw.html. [Accessed: Mar. 17, 2023]

[7] “QakBot Malware Bypass Windows Security Using Unpatched Vulnerability.” [Online]. Available: https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature. [Accessed: Mar. 17, 2023]

DISCOVER
MORE RESOURCES

How to Build a Red Teaming Attack Scenario | Part 1 - Bypass Security Controls

Read More

MITRE ATT&CK T1082 System Information Discovery

Read More

Play Ransomware Analysis, Simulation and Mitigation- CISA Alert AA23-352A

Read More