On February 13, 2024, Microsoft issued a patch for CVE-2024-21412, a Microsoft Defender SmartScreen vulnerability prevailing on internet shortcuts. CVE-2024-21412 is a security bypass vulnerability in Microsoft Windows SmartScreen that arises from an error in handling maliciously crafted files. A remote attacker can exploit this flaw to bypass the SmartScreen security, warning dialog and deliver malicious files.
In earlier periods, it was discovered that an advanced persistent threat (APT) group, named Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign, focusing the financial market traders to bypass Microsoft Defender SmartScreen and infect its users with the DarkMe remote access trojan (RAT). Other malicious attackers such as Lumma Stealer, and Meduza Stealer, have exploited this vulnerability.
In a recent campaign, a stealer was observed to deliver multiple files that exploit CVE-2024-21412 to download malicious executable files. There has been constant efforts from the threat actors in discovering new tactics of identifying and exploiting gaps to bypass security measures.
To begin with, the attackers lure the victims to click on a crafted link to a URL file designed o download an LNK file. The LNK file thereafter, downloads an executable file containing an HTA script. Once, the script is executed, it decodes and decrypts PowerShell code to retrieve the final URLs, decoy PDF files, and a malicious shell code injector. These files tries to inject the final stealer into legitimate processes, thus, initiating malicious activities and sending the stolen data back to a C2 server.
Thus, it becomes important for the organizations to identify and mitigate vulnerabilities, especially zero-days, in a regular manner to safeguard customers, employees and system from attacks that exploit vulnerabilities. They must protect the systems from attacks, thereby reducing the damage caused by incidents and improving the overall security resilience.
It was found after critical analysis, that the malicious attackers are no way delayed to design different injectors to evade detection and use various PDF files to target specific regions, such as North America, Spain and Thailand.
Water Hydra's Exploitation of CVE-2024-21412
The Water Hydra APT group, also known as DarkCasino, came into focus in 2021, when it launched a series of campaigns targeting the financial sector with the use of social engineering tactics in financial trading forums to trick victims. The attackers engaged in targeted attacks on banks, cryptocurrency platforms, foreign exchange and stock trading platforms and gambling sites over the world.
Water Hydra exploits CVE-2024-21412, to gain initial access to victims, which allowed to perform lateral movement and the next stages of an attack. The threat actors depicted a considerable technical expertise and sophistication, along with a ability to exploit undisclosed zero-day vulnerabilities for attacks. They have been using the DarkMe malware, to gather information from victims, since 2022.
How threat actors can exploit CVE-2024-21412?
It was discovered, that the Water Hydra group used internet shortcuts impersonated as a JPEG image, that when selected by the user, allows the threat actor to exploit CVE-2024-21412. Then, they successfully bypass Microsoft Defender SmartScreen and wholly compromise the Windows host as part of attack chain.
Impact of CVE-2024-21412 exploitation
A blend of social engineering techniques by the Water Hydra group, was used to trick the victims to select malicious links that lead to the exploitation of CVE-2024-21412. The attackers, then, compromised their victim's host system and deployed malicious payloads. The threat actors may have different motivations to exploit the vulnerability for their own purposes, such as sabotage or cyberespionage.
The exploitation of vulnerabilities, generally the zero-day ones, can cause potential risks to organizations. Data breach is one of such risk, where the attackers can infiltrate systems, exfiltrate sensitive data and compromise the confidentiality of critical information. This, in turn, result in significant financial losses due to regulatory fines, legal fees and impact on reputation of the business. In broader sense, zero-day attacks can disrupt business operations, which can lead to downtime, productivity loss and dissatisfaction of customers.
Users affected by CVE-2024-21412
CVE-2024-21412, Microsoft Defender SmartScreen is a feature that is part of both Windows 10 and 11. Originally introduced in Windows 8, SmartScreen is an integrated Windows feature designed to warn the users against accessing any malicious URL or file. As evidenced, all currently supported Windows client versions are affected by this flaw.
Protections against CVE-2024-21412
The official patch was released by Microsoft, which works in fixing this issue. Many organizations will be scrambling to engage emergency operations to test and deploy the official Microsoft patch. Adding to this, in most cases, applying patches usually requires reboots, whereas in virtual patching, there is no need of system restart. Besides, a bug bounty program allows to identify security vulnerabilities quickly and help to fix it before the attacker exploits them. Many platforms provided virtual patches on an average basis of 51 days ahead of Microsoft-sourced vulnerabilities.
Conclusion
This campaign mainly targets CVE-2024-21412 to distribute LNK files for downloading execution files that embed HTA script code within their overlays. The HTA script runs quietly, and avoids any pop-up windows and fraudulent downloads two files: a decoy PDF and an execution file designed to inject shell code, thus, setting the stage for the final stealers.
To eliminate such threats, businesses must aware their users about the dangers of downloading and running files from unverified sources. The threat actors will continue to innovate various ways to execute the attack, while this necessitates a robust and proactive cybersecurity strategy to safeguard against sophisticated attack vectors. Proactive measures, user awareness and strict security protocols are important components to safeguard an organization's digital assets.
.png)
Comments
Post a Comment