Security experts have recently uncovered that the APT group Void Banshee has been exploiting a critical zero-day vulnerability, CVE-2024-38112 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], within the MHTML protocol handler to deploy the Atlantida stealer on victims’ devices [1].
Description
This vulnerability, identified by Trend Micro Zero Day Initiative (ZDI) [5], allowed attackers to access and execute files through disabled Internet Explorer using MSHTML [8]. The campaign involved a multi-stage attack chain using .URL files and Microsoft protocol handlers to target users of Windows 10 and 11 in regions such as North America, Europe [1] [3] [4] [6] [7] [8] [9], and Southeast Asia [3] [4] [6] [7] [8] [9]. The attackers aimed to steal sensitive data and credential information [1], specifically targeting highly skilled professionals and students using reference materials [9]. Despite Microsoft releasing a patch for the vulnerability during the July 2024 Patch Tuesday cycle [7], the risk remains due to slow update uptake and continued use of legacy systems [7]. The campaign raised concerns about the exploitation of unsupported Windows relics like Internet Explorer, highlighting the danger posed by such technologies in modern Windows environments. Organizations are advised to patch the vulnerability and adopt a proactive security posture to mitigate potential threats [9]. This incident has also raised concerns about the impact on vulnerability disclosure processes in the cybersecurity industry [4], potentially discouraging researchers from reporting vulnerabilities to vendors [4]. The exploit is part of a multi-stage attack chain using specially crafted internet shortcut files [2] [10]. The Atlantida campaign has been active throughout 2024 and has evolved to include CVE-2024-38112 in Void Banshee infection chains [2] [10]. This vulnerability was addressed by Microsoft in recent Patch Tuesday updates [2]. CVE-2024-38112 is described as a spoofing vulnerability in the MSHTML browser engine used in Internet Explorer [2], although the Zero Day Initiative has classified it as a remote code execution flaw [2] [10]. The ability of APT groups like Void Banshee to exploit vulnerabilities in services like Internet Explorer poses a significant threat to organizations worldwide [2].
Conclusion
The exploitation of vulnerabilities like CVE-2024-38112 by APT groups underscores the importance of timely patching and proactive security measures. Organizations must remain vigilant and update their systems to protect against potential threats. The incident also highlights the need for improved vulnerability disclosure processes to ensure the timely mitigation of security risks in the cybersecurity industry.
References
[1] https://socprime.com/blog/detect-cve-2024-38112-exploitation-by-void-banshee-apt-in-zero-day-attacks-targeting-windows-users/
[2] https://www.redpacketsecurity.com/void-banshee-apt-exploits-microsoft-mhtml-flaw-to-spread-atlantida-stealer/
[3] https://www.infosecurity-magazine.com/news/cve-2024-38112-exploited-void/
[4] https://msftnewsnow.com/microsoft-under-fire-cve-2024-38112-zero-day/
[5] https://www.cybersecurity-review.com/cve-2024-38112-void-banshee-targets-windows-users-through-zombie-internet-explorer-in-zero-day-attacks/
[6] https://www.helpnetsecurity.com/2024/07/16/cve-2024-38112-void-banshee/
[7] https://www.scmagazine.com/news/void-banshee-group-using-patched-zero-day-to-execute-infostealer
[8] https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html
[9] https://www.darkreading.com/threat-intelligence/void-banshee-apt-microsoft-zero-day-spear-phishing-attacks
[10] https://thehackernews.com/2024/07/void-banshee-apt-exploits-microsoft.html