CVE-2023-36025: Windows SmartScreen in Active Exploitation

A recently disclosed zero-day vulnerability in Windows SmartScreen, tracked as CVE-2023-36025, has garnered significant attention. Despite Microsoft's Patch Tuesday release this month addressing the issue, the availability of a working proof-of-concept (PoC) exploit underscores the urgency for organizations to take immediate action as the vulnerability is already actively exploited.

Overview

CVE-2023-36025 is a security feature bypass vulnerability that allows attackers to bypass Windows Defender SmartScreen checks, potentially exposing systems to malicious code. The flaw is characterized by low attack complexity, requiring only low privileges and exploitation over the Internet. The vulnerability affects nearly all Windows OS versions.|

Vulnerable Systems

• All server versions of Windows 2008, 2012, 2016, 2019, 2022, including 32bit, x64 and ARM versions.

• All versions of Windows 10 or Windows 11, including 32bit, x64 and ARM versions.

See official Microsoft documetation for detail: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025

How to exploit

To exploit the vulnerability, an attacker needs a user to click on a specially crafted Internet shortcut (.URL) or a link pointing to such a file. The PoC exploit aims to trick users into interacting with a malicious file without triggering SmartScreen alerts. TA544, a threat group known for distributing Ursnif banking Trojan, is actively targeting this vulnerability in campaigns.

Active exploitation

TA544, a financially motivated APT actor tracked since 2017, has been exploiting CVE-2023-36025 in a recent campaign. Known for distributing Ursnif banking Trojan and WikiLoader, TA544 employs Remcos, a remote access Trojan, in this campaign. The threat actor establishes a unique webpage with links to a .URL file, utilizing CVE-2023-36025 to automatically mount a virtual hard disk (.vhd) on systems

Implications

If successful, an attacker can automatically mount a Virtual Hard Disk (VHD) on systems simply by opening the .URL file. This presents a significant risk, considering the potential for executing malicious code or directing users to harmful sites without any SmartScreen warnings.

Microsoft's Response

Microsoft has classified CVE-2023-36025 as an "Important" security feature bypass with a CVSS score of 8.8/8.2. The company released a patch on November 14, 2023, as part of its security updates. It's crucial for organizations to apply these updates promptly to mitigate the risk posed by this vulnerability.

Action Items

1. Apply Security Updates: Ensure that the latest security updates from Microsoft, addressing CVE-2023-36025, are applied to all Windows systems.

2. Monitoring and Detection: Implement monitoring mechanisms to detect unusual file behavior and network activity, especially related to .URL files.

References

• https://infosecwriteups.com/cve-2023-36025-an-in-depth-analysis-of-circumventing-windows-smartscreen-security-6ff05c8b69d0

• https://thehackernews.com/2023/11/alert-microsoft-releases-patch-updates.html

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025

• https://www.darkreading.com/vulnerabilities-threats/exploit-critical-windows-defender-bypass-public

Note: The information provided is based on available knowledge as of November 22, 2023.