Microsoft patches two zero-days exploited by attackers (CVE-2024-21412, CVE-2024-21351)

On February 2024 Patch Tuesday, Microsoft has delivered fixes for 72 CVE-numbered vulnerabilities, including two zero-days (CVE-2024-21412, CVE-2024-21351) that are being leveraged by attackers in the wild.

About CVE-2024-21412 and CVE-2024-21351

CVE-2024-21412 allows attackers to bypass the Microsoft Defender SmartScreen security feature with booby-trapped Internet Shortcut files.

In late December 2023, Trend Micro researcher Peter Girnus and his colleagues in the ZDI Threat Hunting team discovered the Water Hydra APT leveraging the flaw to infect victims with the DarkMe malware.

(Several other researchers, including two from Google’s Threat Analysis Group, reported the same vulnerability to Microsoft.)

“Water Hydra deployed a spearphishing campaign on forex trading forums and stock trading Telegram channels to lure potential traders into infecting themselves with DarkMe malware using various social engineering techniques, such as posting messages asking for or providing trading advice, sharing fake stock and financial tools revolving around graph technical analysis, graph indicator tools, all of which were accompanied by a URL pointing to a trojan horse stock chart served from a compromised Russian trading and cryptocurrency information site (fxbulls[.]ru),” Trend Micro researchers shared.

CVE-2024-21412 CVE-2024-21351

The JPEG file linking back to a WebDAV share hosting a malicious internet shortcut file. (Source: Trend Micro Zero Day Initiative)

In short, victims were tricked into downloading a file they believed to be a photo (.jpeg file), but was actually a malicious Internet Shortcut (.url) file, which pointed to another internet shortcut file which contained the logic to exploit a previously patched Microsoft Defender SmartScreen bypass vulnerability (CVE-2023-36025).

The researchers created a proof-of-concept (PoC) for further testing, and discovered that the initial shortcut bypassed the patch for CVE-2023-36025 and evaded SmartScreen protections, “which failed to properly apply Mark-of-the-Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source.”

CVE-2024-21351 is bypass of the Windows SmartScreen security feature that can be similarly exploited to deliver malware, after convincing prospective victims to open a booby-trapped file.

“The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both,” Microsoft added.

“Windows uses Mark-of-the-Web (MotW) to distinguish files that originate from an untrusted location. SmartScreen bypasses in Windows Defender allow attackers to evade this inspection and run code in the background,” noted Dustin Childs, head of threat awareness at Trend Micro Inc.’s Zero Day Initiative.

“Microsoft does not indicate how widespread these attacks may be but you should expect exploits to increase as threat actors add this to their toolkits.”

Patches for CVE-2024-21412 and CVE-2024-21351 should be tested and implemented quickly.

Other vulnerabilities of note

Childs also singled out CVE-2024-21410, an elevation of privilege bug in Microsoft Exchange Server, as worthy of a quick patch, but noted that patching won’t be straightforward since additional administrative actions are required to fully address the vulnerability.

Exploiting CVE-2024-21410 could result in the disclosure of a targeted user’s NTLM credentials, which could be relayed back to a vulnerable Exchange Server in an NTLM relay or pass-the-hash attack, which would allow the attacker to authenticate as the targeted user, says Satnam Narang, senior staff research engineer at Tenable.

“We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers. A Russian-based threat actor leveraged a similar vulnerability (CVE-2023-23397) to carry out attacks,” he added.

And, finally, there’s CVE-2024-21413, a remote code execution vulnerability affecting Microsoft Office, which may allow attackers to bypass the Office Protected View and open a file in editing mode (rather than protected mode).

“Not only does this somehow allow code execution to occur, but it could also occur in the Preview Pane,” Childs noted, and stressed that “users of the 32- and 64-bit versions of Office 2016 will need to install multiple updates to fully address this vulnerability.”

UPDATE (February 14, 2024, 02:40 p.m. ET):

Check Point researchers have shared technical information regarding CVE-2024-21413, which they dubbed the MonikerLink bug.

UPDATE (February 15, 2024, 03:40 a.m. ET):

Microsoft has updated the security advisory for CVE-2024-21410 (the Exchange Server EoP bug) to say that “Microsoft was aware of exploitation of this vulnerability.”

Don't miss