Microsoft recently reclassified a previously fixed bug as a zero-day vulnerability, which has been exploited by the “Void Banshee” advanced persistent threat group since before July. The bug, known as CVE-2024-43461, is a remotely exploitable platform-spoofing vulnerability in the legacy MSHTML (Trident) browser engine that is still included in Windows for backward compatibility.
This vulnerability impacts all supported versions of Windows, providing remote attackers with the ability to execute arbitrary code on affected systems. However, to exploit this vulnerability, an attacker would need to deceive a potential victim into visiting a malicious website or clicking on an unsafe link.
Initially disclosed by Microsoft on September 10 with a severity rating of 8.8 on the CVSS scale, the company did not initially label the bug as a zero-day vulnerability. It was later revised on September 13 to acknowledge active exploitation by attackers as part of an attack chain related to CVE-2024-38112, a similar vulnerability patched in July 2024. Microsoft advised customers to apply patches from both the July and September updates to fully protect against exploits targeting CVE-2024-43461.
The US Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its known exploited vulnerabilities database on September 16, with a deadline of October 7 for federal agencies to implement mitigations provided by the vendor.
CVE-2024-43461 is similar to CVE-2024-38112 in the sense that it allows an attacker to manipulate the user interface to display misleading data. Researchers at Check Point Research, credited with discovering CVE-2024-38112, identified the flaw as enabling adversaries to trick users into clicking on a malicious URL. They also observed threat actors using innovative methods to disguise malicious files as benign PDF documents when exploiting the vulnerability.
Trend Micro’s Zero Day Initiative (ZDI) reported that Void Banshee exploited this vulnerability to drop Atlantida malware on Windows systems. The threat actor distributed malicious files posing as book PDFs through various channels, targeting organizations in North America, Southeast Asia, and Europe.
According to Microsoft’s updated advisory, attackers have been leveraging CVE-2024-43461 along with CVE-2024-38112 in a sophisticated attack chain. By exploiting CVE-2024-38112, attackers were able to deceive victims into downloading a malicious file by making it appear as a PDF. Peter Girnus, senior threat researcher at ZDI, highlighted the connection between the two vulnerabilities in the attack chain.
In conclusion, the exploitation of vulnerabilities like CVE-2024-43461 underscores the importance of robust cybersecurity measures. Organizations need to ensure proper endpoint security controls and patch management to mitigate risks associated with such vulnerabilities. Failure to address these issues could leave companies vulnerable to malicious actors and potential data breaches. Moving forward, enterprises must prioritize patching vulnerabilities and implementing comprehensive security measures to safeguard their systems against evolving cyber threats.