Cybercriminals are stepping up efforts to bypass a critical component in Microsoft Defender in order to covertly install malware.
The team at Fortinet said it spotted multiple in-the-wild attacks on CVE-2024-21412. The vulnerability, classified as a security bypass error, allows an attacker to utilize embedded URLs in .lnk files without triggering the SmartScreen component.
Though Microsoft patched the vulnerability in February, enough Windows systems remain unpatched as to make targeting the flaw worthwhile for criminal hackers.
Normally, when a piece of malware attempts to execute, Windows Defender isolates it and delivers the user a SmartScreen notification, thus preventing any further infection or malicious activity.
However, should the attack code and commands be specially crafted and placed inside of a URL within the .lnk link file, the malware attack can be carried out without being caught by SmartScreen.
Fortinet global security strategist Aamir Lakhani told CyberRisk Alliance that once the exploit is performed, the attacker can use any number of methods to execute the malicious payload.
The team has seen cybercriminals using techniques ranging from disguising the executable as a more benign filetype to more sophisticated methods like .DLL sideloading and injecting malware code into legitimate processes.
“The most common threat vector is the initial threat vector that occurs through phishing emails. Exploiting this vulnerability begins with phishing emails containing malicious links,” Lakhani explained.
“These emails use lures related to healthcare insurance schemes, transportation notices, and tax-related communications to deceive individuals and organizations.”
Lakhani noted that in a few cases, there have been more exotic methods employed to disguise the attack payload.
“There are other initial vectors as well,” the researcher explained.
“Another tactic is to take advantage of Open Redirect links. These links exploit Google DoubleClick open redirects, leading victims to compromised web servers hosting the exploit.”
Ultimately, the exploit will end in the installation of a number of bog-standard malware capabilities, including backdoor access to the infected PC, credential theft, and remote keylogging and activity tracking.
Fortunately, the vulnerability is relatively simple for most users and administrators to address. Simply updating Windows (or having updated it any time in the last five months) will resolve the flaw. Additionally, administrators are advised to remind users of the importance of not opening email attachments from untrusted sources.