Instead, far too many customers did not patch and now those same vulnerabilities are being exploited in the wild by multiple groups, according to Microsoft and other researchers following the bugs. So far Microsoft has observed the Lance Tempest cybercrime group using the flaw to send out ransomware like Cl0p and LockBit. Now they are seeing groups like Mango Sandstorm and Mint Sandstorm jump on the band wagon for some of the fun. Mango Sandstorm has been linked to the Iranian MOIS (Ministry of Intelligence and Security), while Mint Sandstorm is linked to the Islamic Revolutionary Guard Corps (IRGC). Seeing these two groups involved could mean that these new attacks are part of an ongoing campaign which used both cyber attacks and influence (social media etc.) operations to make geopolitical changes in the region.

These flaws, left unpatched, represent a significant threat to organizations. The rapid move from disclosure to exploitation could mean a couple of things, either threat groups knew about these flaws and know they have a small window to utilize them before they are patched, or their development teams and timelines are more sophisticated that originally thought. The former is worrisome while the latter much more concerning. It means that the usually anticipated time to remediate is significantly shorter than most organizations can meet, even for a critical vulnerability. Consider the fact that one of the bugs (CVE-2023-27350) allows for arbitrary code execution as SYSTEM and there are groups that have still not patched it.

Organizations should be looking to improve their exposure identification and remediation programs to stay ahead of these types of flaws. The mean time to remediate needs to be trimmed down quite a bit as well especially now that we know just how quickly threat actors can mobilize and get their own tools ready to take advantage of the right flaw. Happy patching.