Microsoft addressed a zero-day vulnerability, CVE-2024-43461 [1] [2] [3] [4] [5] [6] [7] [8], in the MSHTML browser engine during the September 2024 Patch Tuesday.
Description
Initially not reported as exploited [3] [8], subsequent updates revealed that it had been actively used in attacks before being patched [8]. The cyber espionage group Void Banshee exploited this platform-spoofing vulnerability to distribute the Atlantida infostealer malware. This vulnerability allows attackers to execute arbitrary code by tricking victims into visiting a malicious website or clicking on unsafe links. The severity rating for this vulnerability is 8.8 on the CVSS scale. The exploit involved hiding the actual file type by adding repeated encoded braille whitespace characters to file names, making victims believe they were viewing a PDF file [7]. By running the file [7], the Atlantida infostealer could be installed, allowing for the exfiltration of sensitive data and login information. This vulnerability is part of an attack chain that also includes CVE-2024-38112, which was patched in July [4]. Microsoft released a fix for CVE-2024-43461 last week [1] [6], confirming it had been exploited [1]. Customers are advised to install both the July 2024 and September 2024 security updates for full protection [1] [6]. It is crucial for enterprises to patch this vulnerability and implement proper endpoint security and patch management controls to mitigate risks [4]. The vulnerability affects Internet Explorer mode in the Microsoft Edge browser and allows a remote attacker to execute code on unpatched Windows systems [5]. Despite Microsoft ending support for Internet Explorer in 2022 [5], threat actors can still exploit lingering Windows relics like IE to infect users and organizations with malware [5]. The vulnerability, initially not listed as exploited in attacks following Microsoft’s ‘Patch Tuesday’ update on Sept. 10 [3], was later confirmed to have been exploited by the Void Banshee APT group. The severity score for this vulnerability is 8.8 out of 10.0, and it was reported by researchers from Trend Micro Zero Day Initiative. Attackers actively exploited the Windows vulnerability CVE-2024-43461 as a zero-day before July 2024 [6]. The ZDI Threat Hunting team discovered a new exploit similar to a previously patched July vulnerability tracked as CVE-2024-38112 [6]. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows [6], requiring user interaction to exploit [6]. Despite being reported to Microsoft in June [6], threat actors quickly found a way to bypass the patch [6]. Microsoft released a fix for CVE-2024-38112 in July 2024 [6], breaking the attack chain [6]. Customers are advised to install both the July 2024 and September 2024 security updates to fully protect themselves [1] [6]. Void Banshee lures victims with harmful files disguised as book PDFs through zip archives found on cloud-sharing websites [2], Discord servers [2], and online libraries [2]. The main regions targeted by Void Banshee are Southeast Asia [2], Europe [2] [3] [4] [8], and North America [2] [3] [4] [8]. The attackers spoof the HTA file extension using braille whitespace characters to hide the malicious nature of the file [2], relying on user interaction for successful execution [2]. Windows users are advised to be cautious when opening.url files from unknown sources to prevent falling victim to such attacks [2].
Conclusion
It is crucial for users to stay vigilant and update their systems with the latest security patches to protect against such vulnerabilities. Enterprises should also implement proper security measures to mitigate risks and prevent cyber attacks. The exploitation of these vulnerabilities highlights the importance of proactive security measures and the need for constant vigilance in the face of evolving cyber threats.
References
[1] https://www.helpnetsecurity.com/2024/09/16/cve-2024-43461-exploited/
[2] https://cybersecuritynews.com/windows-mshtml-zero-day-exploit/
[3] https://www.crn.com/news/security/2024/cisa-microsoft-confirm-high-severity-windows-vulnerability-exploited
[4] https://www.darkreading.com/application-security/void-banshee-exploits-second-microsoft-zero-day
[5] https://www.techtarget.com/searchsecurity/news/366610775/Windows-spoofing-flaw-exploited-in-earlier-zero-day-attacks
[6] https://securityaffairs.com/168467/hacking/windows-cve-2024-43461-actively-exploited-before-july-2024.html
[7] https://www.techradar.com/pro/security/this-devious-malware-looked-to-exploit-braille-characters-to-breach-windows-security-flaws
[8] https://www.blackhatethicalhacking.com/news/new-windows-zero-day-exploited-in-active-attacks/