Two zero-day vulnerabilities actively exploited by ransomware threat groups were among 73 bugs Microsoft addressed in this month’s Patch Tuesday release.
The zero-days included a bug that allows hackers to bypass a security feature designed to protect against malicious internet shortcut files, and another that allows attackers to bypass SmartScreen security checks.
February’s batch of 73 patches — up from the 48 released last month — included fixes for five bugs rated "critical," impacting a range of Microsoft solutions including Office, Exchange Server and Dynamics 365 Business Central (previously Dynamics NAV).
DarkCasino gang exploited shortcut bug
The actively exploited Internet Shortcut File vulnerability, tracked as CVE-2024-21412, enables attackers to bypass Mark of the Web (MoTW) warnings in Windows.
“An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks,” Microsoft said.
“However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.”
Researchers with Trend Micro’s Zero Day Initiative (ZDI) were among those who discovered the flaw. In a Feb. 13 post, they said it was exploited by the DarkCasino threat group (also known as Water Hydra) in a campaign targeting financial traders.
“Water Hydra deployed a spearphishing campaign on forex trading forums and stock trading Telegram channels to lure potential traders into infecting themselves with DarkMe malware using various social engineering techniques, such as posting messages asking for or providing trading advice, sharing fake stock and financial tools revolving around graph technical analysis, graph indicator tools, all of which were accompanied by a URL pointing to a trojan horse stock chart served from a compromised Russian trading and cryptocurrency information site (fxbulls[.]ru),” the ZDI researchers said.
Another SmartScreen flaw surfaces
The Windows SmartScreen security feature bypass vulnerability (CVE-2024-21351) lets attackers bypass SmartScreen security checks.
“The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both,” Microsoft said.
While details of how the vulnerability was exploited in the wild were not revealed, Microsoft said an attacker needed to send the targeted user a malicious file and, using social engineering, convince them to open it.
“This is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days,” said Tenable senior staff research engineer Satnam Narang.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two new bugs to its Known Exploited Vulnerabilities Catalog, setting a deadline of March 5 for Federal Civilian Executive Branch agencies to patch them.
Critical Exchange Server bug’s pass-the-hash attack risk
One of the critical vulnerabilities patched by Microsoft this month, and identified as being among those more likely to be exploited by attackers, was an Exchange Server elevation of privilege flaw (CVE-2024-21410).
“Exploiting this vulnerability could result in the disclosure of a targeted user’s Net-New Technology LAN Manager (NTLM) version 2 hash, which could be relayed back to a vulnerable Exchange Server in an NTLM relay or pass-the-hash attack, which would allow the attacker to authenticate as the targeted user,” Narang said.
“We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers. A Russian-based threat actor leveraged a similar vulnerability to carry out attacks — CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook, patched in March 2023.”
The other four critical bugs Microsoft patched in this release were: a Dynamics 365 Business Central/Dynamics NAV information disclosure vulnerability (CVE-2024-21380), an Outlook remote code execution (RCE) vulnerability (CVE-2024-21413), a Windows Hyper-V denial of service vulnerability (CVE-2024-20684), and a Windows Pragmatic General Multicast RCE vulnerability (CVE-2024-21357).