Recently, security experts uncovered a disturbing development - ransomware criminals gaining access to a functional exploit for a nearly year-old critical Microsoft SharePoint vulnerability. This alarming revelation was significant enough to prompt its addition to the US's must-patch list by the Cybersecurity and Infrastructure Security Agency (CISA).

The Vulnerability: CVE-2023-29357

Tracked as CVE-2023-29357, this SharePoint vulnerability was initially identified by Nguyễn Tiến Giang of STAR Labs during Vancouver's Pwn2Own contest in March 2023. Classified as a critical elevation of privileges (EoP) vulnerability with a severity score of 9.8, it enables potential remote code execution (RCE). Despite Microsoft addressing it in June 2023's Patch Tuesday, the situation took a darker turn.

The Ransomware Connection

Kevin Beaumont, a researcher, revealed that at least one ransomware group possesses a working exploit for CVE-2023-29357. Although CISA stated that the use of this exploit in ransomware campaigns is currently "unknown," the urgency to address it cannot be overstated. When vulnerabilities make it to CISA's known exploited vulnerabilities (KEV) list, federal agencies have a three-week window to patch them, as they are actively exploited by cybercriminals.

The Timeline

The journey of this vulnerability from discovery to exploitation is both intriguing and concerning. Jang's successful chaining of CVE-2023-29357 with another bug at Pwn2Own led to Microsoft's initial fix in June. The proof of concept (PoC) code for CVE-2023-29357 landed on GitHub in September, creating a foundation for potential exploitation.

Despite the warnings issued in September about the PoC code providing a launching pad for cybercriminals, the ransomware attacks did not materialize as expected. The delay may be attributed to the complexity involved in chaining CVE-2023-29357 with CVE-2023-24955. Jang and his team spent nearly a year of meticulous effort and research to achieve this feat, emphasizing the sophistication of the exploit.

Patching Challenges and Risks

The urgency for IT administrators to patch both CVE-2023-29357 and CVE-2023-24955 is underscored. Applying the June 2023 Patch Tuesday updates alone won't suffice, as manual, SharePoint-specific patches are required. The process ensures that the fixes are correctly applied since Windows Update won't install these patches automatically.

The severity of CVE-2023-29357 lies in its potential to grant administrator privileges, posing a severe threat to organizations. Meanwhile, CVE-2023-24955, although requiring privileges for remote exploitation, carries its own risks. NHS Digital reports no known proof of concept code for the RCE vulnerability circulating online, indicating a secretive development by those exploiting it.

Conclusion: Vigilance and Swift Action

In conclusion, the revelation of ransomware gangs exploiting the CVE-2023-29357 vulnerability serves as a stark reminder of the evolving nature of cyber threats. Organizations must remain vigilant, understanding that the delay in exploitation does not diminish the severity of the risk. Swift action, thorough patching, and ongoing cybersecurity measures are paramount to safeguarding against emerging threats in the digital realm.