Security experts have recently discovered a vulnerability, CVE-2024-38213, that allows threat actors to evade Windows’ Mark-of-the-Web (MotW) protections through copy-and-paste operations. This vulnerability, known as “copy2pwn,” showcases the continuous efforts of cybercriminals to exploit weaknesses in Windows security features and emphasizes the significance of proactive vulnerability research.
The threat of Web-based Distributed Authoring and Versioning (WebDAV) shares has become increasingly apparent in the cybersecurity landscape. WebDAV shares, which can be accessed through web browsers and mounted as Windows Explorer paths, have been utilized by threat actors to host malicious payloads. By leveraging vulnerabilities such as CVE-2024-36025 and CVE-2024-21412, attackers have managed to circumvent built-in Microsoft protections like Windows Defender SmartScreen. Crafting specific Windows search queries allows threat actors to manipulate the files displayed in the WebDAV share, potentially masking malicious files as harmless ones.
The Mark-of-the-Web serves as a critical security feature in Windows, applying an NTFS Alternate Data Stream (ADS) to files downloaded from the internet. This triggers additional security checks and prompts, reducing the risk of executing untrusted content. Without the MotW, protective mechanisms like Windows Defender SmartScreen and Microsoft Office Protected View are rendered ineffective, leaving users susceptible to malicious content.
Researchers from the Zero Day Initiative (ZDI) Threat Hunting team observed a campaign where DarkGate operators exploited the zero-day vulnerability, CVE-2024-21412, which had been disclosed to Microsoft by researchers. This campaign was updated with the use of the copy2pwn exploit, highlighting the evolving tactics of cybercriminals in exploiting vulnerabilities for malicious purposes.
Prior to Microsoft’s June 2024 security patch release, files copied and pasted from WebDAV shares did not receive the MotW designation. This allowed users to unwittingly copy and paste files from a WebDAV share to their desktop, leading to the subsequent opening of these files without the protections of Windows Defender SmartScreen or Microsoft Office Protected View. The rise in threat actors hosting payloads on WebDAV shares has exposed numerous vulnerabilities that have been abused as zero-days, particularly in the context of accessing malicious payloads.
The researchers promptly reported CVE-2024-38213 to Microsoft, identifying it as a ‘Windows Mark of the Web Security Feature Bypass Vulnerability’ that was patched in June. To prevent similar attacks exploiting the clipboard, pastejacking, and copy2pwn techniques, users are advised to exercise caution when accessing WebDAV shares and to remain alert when copying and pasting files from these sources.
In conclusion, the emergence of the copy2pwn exploit underscores the need for continued vigilance and proactive security measures in the face of evolving cyber threats. By staying informed about potential vulnerabilities and staying updated on security patches, users can better protect themselves against malicious actors seeking to exploit weaknesses in software systems.