Threat actors may have been exploiting a zero-day bug in Microsoft’s security update for at least 18 months before the patch was released. The vulnerability (CVE-2024-38112) affects the MSHTML (Trident) engine for Internet Explorer, which has since been retired. However, newer Windows 10 and Windows 11 systems are also vulnerable to attacks targeting this flaw.
Haifei Li, a security researcher at Check Point, discovered and reported the flaw to Microsoft in May. According to Li, the vulnerability allows an attacker to send victims specially crafted Internet Shortcut files that, when clicked, would use Internet Explorer to open an attacker-controlled URL. Check Point observed threat actors combining this exploit with a trick to hide dangerous HTML application files in the guise of a benign PDF document.
Eli Smadja, research group manager at Check Point, warns that the vulnerability could allow an attacker to execute ransomware, spyware, and other arbitrary code on a victim’s machine. Check Point’s ongoing analysis has identified at least two different threat actors exploiting CVE-2024-38112 in campaigns targeting individuals in Vietnam and Turkey. One campaign involves dropping the Atlantida information stealer on targeted victims in these countries.
The Atlantida malware enables the theft of credential information, cryptocurrency wallet data, browser data, screen information, hardware data, and other sensitive information from compromised systems. Despite the severity of the exploit, Microsoft has only assigned a moderately high severity rating to CVE-2024-38112. The company believes that the attacker would need to convince a victim to interact with the weaponized URL file for the attack to be successful.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-38112 to its catalog of known exploited vulnerabilities (KEV) and has advised organizations to apply Microsoft’s mitigations for the vulnerability. Federal civilian executive branch agencies have until July 30 to remediate the issue or discontinue the use of affected products until the issue is fixed.
In addition to CVE-2024-38112, CISA has also added another zero-day vulnerability from Microsoft’s July update to its catalog. This vulnerability, CVE-2024-38080, is a privilege escalation flaw in Microsoft Windows Hyper-V virtualization technology that allows an attacker with local access to acquire system-level privileges.
Microsoft addressed a total of 139 vulnerabilities in its July update, making it larger in CVE volume than the updates for May and June combined. Organizations are urged to apply the necessary patches and updates to protect their systems from potential exploitation by threat actors.