SECURITY ALERT: Microsoft Windows Defender SmartScreen 0-Day (CVE-2024-21412) – Trend Micro Business Support

Business Success
Trend Micro Automation Center is a central hub for APIs and documentation across Trend Micro products. It offers searchable cross-product APIs and use cases for IT and security teams to automate tasks and improve efficiency.
The Education Portal serves as a comprehensive resource for Trend Micro employees to develop their professional capabilities. Through a variety of curated training modules, employees can deepen their understanding of company culture, product knowledge, processes, and essential soft skills.
The Trend Micro Online Help Center provides customers with comprehensive product information and troubleshooting guidance. It offers general product usage information and in-depth solutions for complex issues.
Trend Micro Service Status Portal provides real-time information on the performance of Trend Micro products. It offers up-to-date incident reports and historical data for monitoring system health.
TrendConnect is a mobile application that provides users with real-time insights into their Trend Micro security environment, including threat alerts and system health assessments.
The following highlights post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.
Trend Vision One customers benefit from attack surface risk management and XDR capabilities of the overall platform, fed by products such as Trend Micro Apex One or Trend Vision One – Endpoint Security, allowing existing customers to stay up to date on the latest information on these vulnerabilities. Leveraging the Risk Insights family of apps, customers can scan for, and identify impacted assets, and stay up to date on latest mitigation steps, including how to use Trend products to detect and defend against exploitation.
Attack Surface Risk Management (ASRM) > Executive Dashboard
An updated Zero Day Vulnerability page in the Trend Vision One Executive Dashboard has been launched to provide a lot of relevant information in one area for Trend Vision One users and will be updated as more information is released.
Security Alert
Smart Screen Vulnerability
Trend Vision One customers may utilize Trend Micro’s Vision One Detection Models to scan for potential issues.
Potential Exploits
Search Query
In addition, Trend Vision One customers may utilize the General Search Query function in the console to do some preliminary investigation of potential exposure.
Threat Query
Observed Attack Techniques (OATs)
Another potentially useful search is to look for OATs that may have been recently spotted in the environment using some of the tools, tactics and procedures (TTPs) highlighted in Trend Micro’s technical analysis blog.
Observed Attack Techniques
OSQUERY in XDR Threat Investigation > Forensics
Trend Vision One customers may also utilize the OSQUERY function as part of the Forensics toolset in Vision One to run a query on machines that may not have applied the relevant Microsoft patch:
osquery
First and foremost, it is always highly recommended that users apply the vendor’s patches when they become available. Microsoft has released some updated patches as part of the February 2024 Patch Tuesday set of critical updates.  
As an original submission of the exploit was through the Trend Micro Zero Day Initiative, based on our analysis of the exploit information, Trend Micro can share that we have some detection rules and filters that can help provide against potential exploitation of this vulnerability.
Trend Micro Cloud One – Network Security & TippingPoint Filters
Trend Vision One Network Sensor and Trend Micro Deep Discovery Inspector (DDI) Rules
Trend Micro Worry-Free Business Security Services (WFBSS) Vulnerability Protection IPS Rules
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring) for Endpoint, Servers (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.), Mail & Gateway (e.g. Cloud App Security, ScanMail for Exchange, IMSVA)
In addition to the proactive exploit protection listed above, Trend Micro endpoint, server, mail & gateway solutions also detect and protect against components of the DarkMe malware that have been observed in attacks in the wild.  Detections of these components include:
Trend Micro will continue to monitor and update this article as new information becomes available.
Copyright © Trend Micro Incorporated. All rights reserved.

On Tuesday, February 13, 2024, Microsoft released their latest security patches which included code to address an observed in-the-wild (ITW) 0-day vulnerability (CVE-2024-21412) that the Trend Micro Zero Day Initiative discovered and responsibly disclosed to Microsoft.  This vulnerability (which we track as ZDI-CAN-23100) is a Windows Defender SmartScreen bypass that has been observed to be used as part of a sophisticated zero-day attack chain by the Water Hydra advanced persistent threat (APT) group (also known as DarkCasino) that targeted foreign exchange (forex) traders.

More information on Trend Micro's detailed analysis of the vulnerability can be found in the following:

Trend Micro Blogs

Trend Micro Brief Page

Zero Day Initiative Blog

The following article contains information for Trend Micro customers on how to use Trend Micro products for investigation as well as various detection and protections that are available for the known vulnerability and exploits.
 
The following highlights post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.
Trend Vision One customers benefit from attack surface risk management and XDR capabilities of the overall platform, fed by products such as Trend Micro Apex One or Trend Vision One – Endpoint Security, allowing existing customers to stay up to date on the latest information on these vulnerabilities. Leveraging the Risk Insights family of apps, customers can scan for, and identify impacted assets, and stay up to date on latest mitigation steps, including how to use Trend products to detect and defend against exploitation.
Attack Surface Risk Management (ASRM) > Executive Dashboard
An updated Zero Day Vulnerability page in the Trend Vision One Executive Dashboard has been launched to provide a lot of relevant information in one area for Trend Vision One users and will be updated as more information is released.
Security Alert
Smart Screen Vulnerability
Trend Vision One customers may utilize Trend Micro’s Vision One Detection Models to scan for potential issues.
Potential Exploits
Search Query
In addition, Trend Vision One customers may utilize the General Search Query function in the console to do some preliminary investigation of potential exposure.
Threat Query
Observed Attack Techniques (OATs)
Another potentially useful search is to look for OATs that may have been recently spotted in the environment using some of the tools, tactics and procedures (TTPs) highlighted in Trend Micro’s technical analysis blog.
Observed Attack Techniques
OSQUERY in XDR Threat Investigation > Forensics
Trend Vision One customers may also utilize the OSQUERY function as part of the Forensics toolset in Vision One to run a query on machines that may not have applied the relevant Microsoft patch:
osquery
First and foremost, it is always highly recommended that users apply the vendor’s patches when they become available. Microsoft has released some updated patches as part of the February 2024 Patch Tuesday set of critical updates.  
As an original submission of the exploit was through the Trend Micro Zero Day Initiative, based on our analysis of the exploit information, Trend Micro can share that we have some detection rules and filters that can help provide against potential exploitation of this vulnerability.
Trend Micro Cloud One – Network Security & TippingPoint Filters
Trend Vision One Network Sensor and Trend Micro Deep Discovery Inspector (DDI) Rules
Trend Micro Worry-Free Business Security Services (WFBSS) Vulnerability Protection IPS Rules
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring) for Endpoint, Servers (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.), Mail & Gateway (e.g. Cloud App Security, ScanMail for Exchange, IMSVA)
In addition to the proactive exploit protection listed above, Trend Micro endpoint, server, mail & gateway solutions also detect and protect against components of the DarkMe malware that have been observed in attacks in the wild.  Detections of these components include:
Trend Micro will continue to monitor and update this article as new information becomes available.

source

Leave a Comment

WP2Social Auto Publish Powered By : XYZScripts.com