A recent vulnerability in Microsoft Defender SmartScreen that was identified and fixed in February is still being exploited by cybercriminals worldwide for infostealing activities. The CVE-2024-21412 vulnerability, rated as “high” severity with an 8.1 CVSS score, allows attackers to bypass security measures in SmartScreen. Despite the patch released on Feb. 13, threat actors have continued to use this vulnerability in their campaigns, targeting well-known infostealers like Lumma Stealer, Water Hydra, and DarkGate.
Five months after the initial patch, security researchers at Fortinet have discovered a new campaign leveraging the CVE-2024-21412 vulnerability. This campaign involves two additional infostealers, Meduza and ACR, and has already impacted targets in the US, Spain, and Thailand. According to Aamir Lakhani, a global security strategist and researcher at Fortinet, attackers are exploiting the native Microsoft Windows software, which should ideally be updated through regular Microsoft patch cycles. The fact that organizations are failing to patch such critical vulnerabilities raises concerns about the overall security posture and patching practices in place.
The attack chain associated with CVE-2024-21412 involves tricking SmartScreen through PowerShell techniques and concealing attacks within images to evade detection. In the latest campaign, victims are enticed with a URL that triggers the download of a shortcut file (LNK) leading to the execution of an HTML Application (HTA) script with PowerShell code. This code facilitates the retrieval of decoy PDF files and malicious injectors, one of which uses a JPG image file to obfuscate malicious code. Image-based attacks, such as this one, are less common but highly effective as they exploit vulnerabilities in image processing and steganography detection.
The consequences of failing to patch vulnerabilities like CVE-2024-21412 can be severe, as demonstrated by the data exfiltration capabilities of the infostealers involved. ACR, for instance, targets a wide range of sensitive information, including data from browsers, crypto wallets, messenger apps, password managers, VPNs, email clients, and FTP clients. Organizations that lag behind in applying critical security patches are at risk of falling victim to these sophisticated attacks.
Aamir Lakhani emphasizes the importance of regular patching practices and alerts users to critical security updates. While individual software updates from smaller companies may sometimes be overlooked, most organizations are expected to regularly update their Microsoft software. Enhancing patching practices and prompting users to install critical security patches upon software launch can help mitigate the risks posed by vulnerabilities like CVE-2024-21412. As cyber threats continue to evolve, maintaining robust security practices and staying vigilant against emerging threats are essential for organizations to safeguard their data and systems from malicious actors.