Microsoft has patched two actively exploited zero-day vulnerabilities in its February Patch Tuesday – a pair of security feature bypasses affecting Internet Shortcut Files and Windows SmartScreen respectively – out of a total of just over 70 vulnerabilities disclosed in the second drop of 2024.
Among some of the more pressing issues this month are critical vulnerabilities in Microsoft Dynamics, Exchange Server, Office, and Windows Hyper-V and Pragmatic General Multicast, although none of these flaws are being used in the wild quite yet.
Water Hydra
The first of the two zero-days is tracked as CVE-2024-21412 and was found by Trend Micro researchers. It appears to be being used to target foreign exchange traders specifically by a group tracked as Water Hydra.
According to Trend Micro, the cyber criminal gang is leveraging CVE-2024-21412 as part of a wider attack chain in order to bypass SmartScreen and deliver a remote access trojan (RAT) called DarkMe, likely as a precursor to future attacks, possibly involving ransomware.
“CVE-2024-21412 represents a critical vulnerability characterised by sophisticated exploitation of the Microsoft Defender SmartScreen through a zero-day flaw,” explained Saeed Abbasi, product manager for vulnerability research at the Qualys Threat Research Unit.
“This vulnerability is exploited via a specially crafted file delivered through phishing tactics, which cleverly manipulates internet shortcuts and WebDAV components to bypass the displayed security checks.
“The exploitation requires user interaction, attackers must convince the targeted user to open a malicious file, highlighting the importance of user awareness alongside technical defences. The impact of this vulnerability is profound, compromising security and undermining trust in protective mechanisms like SmartScreen,” said Abbasi.
The second zero-day, tracked as CVE-2024-21351, is remarkably similar to the first in that ultimately, it impacts the SmartScreen service. In this case, however, it enables an attacker to get around the checks that it conducts for the so-called Mark-of-the-Web (MotW) that indicates whether a file can be trusted or not, and execute their own code.
“This bypass can occur with minimal user interaction, requiring only that a user opens a malicious file,” said Abbasi. “The impact of this exploit includes potential unauthorised access to data (some loss of confidentiality), severe manipulation or corruption of data (total loss of integrity), and partial disruption of system operations (some loss of availability).
“The significance of this vulnerability lies in its ability to undermine a crucial security defence against malware and phishing attacks, emphasising the urgency for users to update their systems to mitigate the risk.”
Critical vulns
The five critical vulnerabilities this month are, in CVE number order:
- CVE-2024-20684, a denial of service (DoS) vulnerability in Windows Hyper-V;
- CVE-2024-21357, a remote code execution (RCE) vulnerability in Windows Pragmatic General Multicast (PGM);
- CVE-2024-21380, an information disclosure vulnerability in Microsoft Dynamics Business Central/NAV;
- CVE-2024-21410, an elevation of privilege (EoP) vulnerability in Microsoft Exchange Server;
- CVE-2024-21413, an RCE vulnerability in Microsoft Office.
Assessing this month’s critical vulnerabilities, security experts zoomed in on CVE-2024-21410 in Microsoft Exchange in particular. Kev Breen, senior director of threat research at Immersive Labs, said that it should be high on the list because while it is not marked as being actively exploited, it is much more likely to be exploited.
“This specific vulnerability is known as an NTLM relay or pass-the-hash attack and this style of attack is a favourite for threat actors as it allows them to impersonate users in the network,” he said.
“The way this vulnerability works is that if an attacker is able to collect your NTLM hash, they effectively have the encoded version of your password and can log in to the Exchange Server as you. Microsoft specifically calls out past vulnerabilities like the Outlook zero click exploit CVE-2023-35636 as one method attackers can gain access to this NTLM hash.”
“Financially motivated attackers will be quick to try and weaponise this as it allows for more convincing business email compromise attacks where they can intercept, read and send legitimate email on behalf of employees, for example, from the CEO or CFO,” he said.
Mike Walters, president and co-founder of Action1, drew attention to CVE-2024-21412 in Outlook, which carries a very high severity rating of 9.8 on the CVSS scale.
“Characterised by its network-based attack vector, the vulnerability requires no special privileges or user interaction for exploitation and could significantly impact confidentiality, integrity, and availability,” he said.
An attacker can exploit this vulnerability via the preview pane in Outlook, allowing them to circumvent Office Protected View and force files to open in edit mode, rather than in the safer protected mode,” said Walters.
Walters said that the threat posed by this vulnerability was substantial, possibly enabling an attacker to elevate their privileges and gain the ability to read, write and delete data. Added to this concern, it could also allow them to craft malicious links to bypass Protected View Protocol, leading to the exposure of local NTLM credentials and possibly facilitating remote code execution. As such, it should be treated as a priority.