urlscan.io logo urlscan.io
SecurityTrails logo

www.helpnetsecurity.com Open in urlscan Pro
54.148.174.253  Public Scan

Back to summary
URL: https://www.helpnetsecurity.com/2024/02/13/cve-2024-21412-cve-2024-21351/
Submission: On February 14 via api from TR — Scanned from DE

Form analysis 1 forms found in the DOM

POST 

<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
  <div class="mc4wp-form-fields">
    <div class="hns-newsletter">
      <div class="hns-newsletter__top">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__title">
              <i>
                        <svg class="hic">
                            <use xlink:href="#hic-plus"></use>
                        </svg>
                    </i>
              <span>Cybersecurity news</span>
            </div>
          </div>
        </div>
      </div>
      <div class="hns-newsletter__bottom">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__body">
              <div class="row">
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
                    <label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
                  </div>
                </div>
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
                    <label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
                  </div>
                </div>
              </div>
            </div>
            <div class="form-check form-control-lg mb-3">
              <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
              <label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
            </div>
            <div class="input-group mb-3">
              <input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
              <button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
            </div>
            <div class="form-check">
              <input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
              <label class="form-check-label" for="mcs4">
                <span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms &amp; conditions</a>
                </span>
              </label>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
    value="1707876728"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
  <div class="mc4wp-response"></div>
</form>

Text Content

 * News
 * Features
 * Expert analysis
 * Videos
 * Events
 * Whitepapers
 * Industry news
 * Product showcase
 * Newsletters

 * 
 * 
 * 


Please turn on your JavaScript for this page to function normally.
Zeljka Zorz, Editor-in-Chief, Help Net Security
February 13, 2024
Share


MICROSOFT PATCHES TWO ZERO-DAYS EXPLOITED BY ATTACKERS (CVE-2024-21412,
CVE-2024-21351)



On February 2024 Patch Tuesday, Microsoft has delivered fixes for 72
CVE-numbered vulnerabilities, including two zero-days (CVE-2024-21412,
CVE-2024-21351) that are being leveraged by attackers in the wild.


ABOUT CVE-2024-21412 AND CVE-2024-21351

CVE-2024-21412 allows attackers to bypass the Microsoft Defender SmartScreen
security feature with booby-trapped Internet Shortcut files.

In late December 2023, Trend Micro researcher Peter Girnus and his colleagues in
the ZDI Threat Hunting team discovered the Water Hydra APT leveraging the flaw
to infect victims with the DarkMe malware.

(Several other researchers, including two from Google’s Threat Analysis Group,
reported the same vulnerability to Microsoft.)

“Water Hydra deployed a spearphishing campaign on forex trading forums and stock
trading Telegram channels to lure potential traders into infecting themselves
with DarkMe malware using various social engineering techniques, such as posting
messages asking for or providing trading advice, sharing fake stock and
financial tools revolving around graph technical analysis, graph indicator
tools, all of which were accompanied by a URL pointing to a trojan horse stock
chart served from a compromised Russian trading and cryptocurrency information
site (fxbulls[.]ru),” Trend Micro researchers shared.



THE JPEG FILE LINKING BACK TO A WEBDAV SHARE HOSTING A MALICIOUS INTERNET
SHORTCUT FILE. (SOURCE: TREND MICRO ZERO DAY INITIATIVE)

In short, victims were tricked into downloading a file they believed to be a
photo (.jpeg file), but was actually a malicious Internet Shortcut (.url) file,
which pointed to another internet shortcut file which contained the logic to
exploit a previously patched Microsoft Defender SmartScreen bypass vulnerability
(CVE-2023-36025).

The researchers created a proof-of-concept (PoC) for further testing, and
discovered that the initial shortcut bypassed the patch for CVE-2023-36025 and
evaded SmartScreen protections, “which failed to properly apply Mark-of-the-Web
(MotW), a critical Windows component that alerts users when opening or running
files from an untrusted source.”

CVE-2024-21351 is bypass of the Windows SmartScreen security feature that can be
similarly exploited to deliver malware, after convincing prospective victims to
open a booby-trapped file.

“The vulnerability allows a malicious actor to inject code into SmartScreen and
potentially gain code execution, which could potentially lead to some data
exposure, lack of system availability, or both,” Microsoft added.

“Windows uses Mark-of-the-Web (MotW) to distinguish files that originate from an
untrusted location. SmartScreen bypasses in Windows Defender allow attackers to
evade this inspection and run code in the background,” noted Dustin Childs, head
of threat awareness at Trend Micro Inc.’s Zero Day Initiative.

“Microsoft does not indicate how widespread these attacks may be but you should
expect exploits to increase as threat actors add this to their toolkits.”

Patches for CVE-2024-21412 and CVE-2024-21351 should be tested and implemented
quickly.


OTHER VULNERABILITIES OF NOTE

Childs also singled out CVE-2024-21410, an elevation of privilege bug in
Microsoft Exchange Server, as worthy of a quick patch, but noted that patching
won’t be straightforward since additional administrative actions are required to
fully address the vulnerability.

Exploiting CVE-2024-21410 could result in the disclosure of a targeted user’s
NTLM credentials, which could be relayed back to a vulnerable Exchange Server in
an NTLM relay or pass-the-hash attack, which would allow the attacker to
authenticate as the targeted user, says Satnam Narang, senior staff research
engineer at Tenable.

“We know that flaws that can disclose sensitive information like NTLM hashes are
very valuable to attackers. A Russian-based threat actor leveraged a similar
vulnerability (CVE-2023-23397) to carry out attacks,” he added.

And, finally, there’s CVE-2024-21413, a remote code execution vulnerability
affecting Microsoft Office, which may allow attackers to bypass the Office
Protected View and open a file in editing mode (rather than protected mode).

“Not only does this somehow allow code execution to occur, but it could also
occur in the Preview Pane,” Childs noted, and stressed that “users of the 32-
and 64-bit versions of Office 2016 will need to install multiple updates to
fully address this vulnerability.”





More about
 * 0-day
 * APT
 * Microsoft
 * Microsoft Exchange
 * MS Office
 * Tenable
 * Trend Micro
 * vulnerability

Share


FEATURED NEWS

 * Microsoft patches two zero-days exploited by attackers (CVE-2024-21412,
   CVE-2024-21351)
 * Attackers injected novel DSLog backdoor into 670 vulnerable Ivanti devices
   (CVE-2024-21893)
 * Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770)

Whitepaper: Why Microsoft’s password protection is not enough



SPONSORED

 * Whitepaper: Why Microsoft’s password protection is not enough
 * eBook: Defending the Infostealer Threat
 * Guide: SaaS Offboarding Checklist




DON'T MISS

 * Microsoft patches two zero-days exploited by attackers (CVE-2024-21412,
   CVE-2024-21351)
 * Attackers injected novel DSLog backdoor into 670 vulnerable Ivanti devices
   (CVE-2024-21893)
 * Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770)
 * The future of cybersecurity: Anticipating changes with data analytics and
   automation
 * Protecting against AI-enhanced email threats




Cybersecurity news
Daily Newsletter
Weekly Newsletter
(IN)SECURE - monthly newsletter with top articles
Subscribe
I have read and agree to the terms & conditions
Leave this field empty if you're human:

© Copyright 1998-2024 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us
×