Two zero-day vulnerabilities actively exploited by ransomware threat groups were among 73 bugs Microsoft addressed in this month’s Patch Tuesday release.
The zero-days included a bug that allows hackers to bypass a security feature designed to protect against malicious internet shortcut files, and another that allows attackers to bypass SmartScreen security checks.
February’s batch of 73 patches — up from the 48 released last month — included fixes for five bugs rated “critical,” impacting a range of Microsoft solutions including Office, Exchange Server and Dynamics 365 Business Central (previously Dynamics NAV).
The actively exploited Internet Shortcut File vulnerability, tracked as CVE-2024-21412, enables attackers to bypass Mark of the Web (MoTW) warnings in Windows.
“An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks,” Microsoft said.
“However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.”
Researchers with Trend Micro’s Zero Day Initiative (ZDI) were among those who discovered the flaw. In a Feb. 13 post, they said it was exploited by the DarkCasino threat group (also known as Water Hydra) in a campaign targeting financial traders.
“Water Hydra deployed a spearphishing campaign on forex trading forums and stock trading Telegram channels to lure potential traders into infecting themselves with DarkMe malware using various social engineering techniques, such as posting messages asking for or providing trading advice, sharing fake stock and financial tools revolving around graph technical analysis, graph indicator tools, all of which were accompanied by a URL pointing to a trojan horse stock chart served from a compromised Russian trading and cryptocurrency information site (fxbulls[.]ru),” the ZDI researchers said.
The Windows SmartScreen security feature bypass vulnerability (CVE-2024-21351) lets attackers bypass SmartScreen security checks.
“The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both,” Microsoft said.
While details of how the vulnerability was exploited in the wild were not revealed, Microsoft said an attacker needed to send the targeted user a malicious file and, using social engineering, convince them to open it.
“This is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days,” said Tenable senior staff research engineer Satnam Narang.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two new bugs to its Known Exploited Vulnerabilities Catalog, setting a deadline of March 5 for Federal Civilian Executive Branch agencies to patch them.
One of the critical vulnerabilities patched by Microsoft this month, and identified as being among those more likely to be exploited by attackers, was an Exchange Server elevation of privilege flaw (CVE-2024-21410).
“Exploiting this vulnerability could result in the disclosure of a targeted user’s Net-New Technology LAN Manager (NTLM) version 2 hash, which could be relayed back to a vulnerable Exchange Server in an NTLM relay or pass-the-hash attack, which would allow the attacker to authenticate as the targeted user,” Narang said.
“We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers. A Russian-based threat actor leveraged a similar vulnerability to carry out attacks — CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook, patched in March 2023.”
The other four critical bugs Microsoft patched in this release were: a Dynamics 365 Business Central/Dynamics NAV information disclosure vulnerability (CVE-2024-21380), an Outlook remote code execution (RCE) vulnerability (CVE-2024-21413), a Windows Hyper-V denial of service vulnerability (CVE-2024-20684), and a Windows Pragmatic General Multicast RCE vulnerability (CVE-2024-21357).
Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.
SC Staff
Threat actors could exploit the vulnerability, which stems from resource exhaustion, to facilitate a denial-of-service condition in impacted devices’ RAVPN service, said Cisco.
SC Staff
Attacks leveraging the SharePoint bug, which could result in remote code execution, have prompted the bug’s inclusion in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, with federal agencies urged to remediate the issue by Nov. 12.
SC Staff
Impacted FortiGate devices had their configuration data, user information, and FortiOS256-hashed credentials exfiltrated as a result of the intrusions, a report from Google Cloud Mandiant showed.
On-Demand Event
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.
Copyright © 2024 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms of Use.