A newly discovered 0-day vulnerability in Windows systems, CVE-2024-43451, has been actively exploited by suspected Russian hackers to target Ukrainian entities.
This 0-day flaw, identified by security analysts at ClearSky Cyber Security in June 2024, allows attackers to gain unauthorized access to systems through minimal user interaction.
CVE-2024-43451 is an NTLM Hash Disclosure spoofing vulnerability that can be triggered by seemingly harmless actions:-
- A single right-click on a malicious file
- Deleting the file (on Windows 10/11)
- Moving the file to another folder (on certain Windows versions)
Researchers at ClearSky Cyber Security observed that when this 0-Day vulnerability is exploited, it discloses the user’s NTLMv2 hash, which attackers can use to authenticate as the user and potentially move laterally within a network.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Attack Method
The attack begins with a phishing email containing a hyperlink to download an Internet shortcut file. This file is hosted on a compromised Ukrainian government server. When the user interacts with the file, it triggers the vulnerability, establishing a connection to the attacker’s server.
The exploit then downloads additional malware, including SparkRAT, an open-source remote access tool that allows attackers to control compromised systems remotely.
Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed these attacks to UAC-0194, a threat group believed to be Russian. The campaign primarily targets Ukrainian entities, highlighting the ongoing cyber warfare in the region.
Microsoft patched CVE-2024-43451 as part of its November 2024 Patch Tuesday update. The vulnerability affects all supported Windows versions, from Windows 10 and later to Windows Server 2008 and up.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-43451 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to secure vulnerable systems by December 3, 2024.
Users and organizations are strongly advised to apply the security update immediately to mitigate the risk posed by this actively exploited zero-day vulnerability.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.