Microsoft's February patches fix 73 vulnerabilities (as well as six more vulnerabilities in Microsoft Edge and a vulnerability in Mariner), including two under attack zero-day issues. In particular, the vulnerability CVE-2024-21412 is already being used by the DarkCasino hack group (aka Water Hydra) to attack financial traders.
In total, this Patch Tuesday patched five critical vulnerabilities related to denial of service (DoS), remote code execution, information disclosure, and privilege escalation.
Advertisement
Among the resolved problems were two zero-day vulnerabilities that had already been exploited by hackers. The first of them, CVE-2024-2135, is a bypass of Windows SmartScreen protection. The company does not say how or by whom this vulnerability was used in the attacks.
“An authorized attacker must send a malicious file to a user and convince them to open the file,” Microsoft explains. “An attacker who successfully exploited this vulnerability could bypass SmartScreen.”
Second problem CVE-2024-21412is associated with Internet Shortcut files and was discovered by Trend Micro.
“An unauthenticated attacker could send a specially crafted file to a target user designed to bypass displayed security warnings,” Microsoft says. “However, an attacker will not be able to force the user to view the content he controls. Instead, the attacker would have to convince the user to take action by clicking on the file.”
At Trend Micro explain, that in addition to this, the CVE-2024-21412 vulnerability allows the use of another bug in Defender SmartScreen (CVE-2023-36025). This issue already received a patch in November 2023 and was used to deploy the Phemedrone malware, also bypassing the security warnings that appear in Windows when opening URL files.
According to researchers, the fresh 0-day was used in attacks aimed at “currency traders participating in high-stakes currency trading.” The ultimate goal of these attacks was likely to steal data or deploy ransomware.
Advertisement
“In late December 2023, we began tracking a campaign by the Water Hydra group, which used similar tools and tactics, including the use of .URL files and WebDAV (Web-based Distributed Authoring and Versioning) components,” Trend Micro explained. – We concluded that calling a shortcut from another shortcut was sufficient to bypass SmartScreen, which failed to properly use Mark-of-the-Web (MotW), a critical Windows component that warns users about opening or running files from an untrusted source “
Water Hydra exploited CVE-2024-21412 to attack forex trading forums and Telegram channels related to stock trading. To do this, the hackers used targeted phishing attacks, distributing malicious links to the hacked fxbulls(.)ru website, which pretended to be the platform of the forex broker fxbulls(.)com. The attackers' goal was to use social engineering to convince victims to install the DarkMe remote access Trojan.
It is known that for their phishing attacks, hackers used such techniques as posting messages in English and Russian offering trading recommendations (or vice versa, asking for them), as well as distributing fake exchange and financial instruments related to technical analysis.