A critical vulnerability [1] [4], known as CVE-202421412, was discovered by the Trend Micro Zero Day Initiative (ZDI) [1]. This flaw, named ZDI-CAN-23100 [1], was exploited by the APT group Water Hydra [1], also known as DarkCasino, in a zero-day attack [1].
Description
The group targeted crypto traders and used spearphishing techniques to deceive users into installing the DarkMe malware. They often shared a stock chart that linked to a compromised Russian trading information site [5]. Water Hydra updated its infection process in January 2024 by using CVE-202421412 to run a malicious Microsoft Installer File (.MSI) [3]. The campaign tricks victims with an internet shortcut (.url) that exploits the CVE-202421412 vulnerability in Windows Explorer [3]. By exploiting the CVE-202421412 vulnerability [3], Water Hydra evades SmartScreen and explores Mark-of-the-Web (MotW) flaws in Windows Explorer [3]. The infection chain operates discreetly and is undisclosed to the user [3]. The vulnerability allowed the attackers to bypass security checks in Windows Defender SmartScreen by sending a specially crafted file to the targeted user. Microsoft has released a patch to address this issue [5]. The researchers from Trend Micro found that calling a shortcut within another shortcut was enough to evade SmartScreen’s protection [5]. This technique bypassed a critical Windows component called MotW [5], which normally alerts users when opening files from untrusted sources. Water Hydra has been active since 2021 and has demonstrated a high level of technical sophistication [1]. Their ultimate goal was to deploy ransomware. Organizations are advised to assume their systems are compromised and take immediate action to isolate affected data or toolchains [1]. Another vulnerability, CVE-202421351 [1] [2] [3] [4] [5], was also identified as a bypass of the Windows SmartScreen security feature that can be similarly exploited to deliver malware [4]. Microsoft warns that these vulnerabilities could potentially lead to data exposure and system availability issues [4]. Patches for both CVE-202421412 and CVE-202421351 should be implemented quickly [4].
Conclusion
The discovery of the CVE-202421412 vulnerability and its exploitation by Water Hydra highlights the need for organizations to remain vigilant against sophisticated cyber threats. The impact of this attack can be severe, with the potential for data exposure and system availability issues [4]. Microsoft has released patches to address the vulnerabilities [2] [5], and it is crucial for organizations to implement these patches promptly. Additionally, organizations are advised to assume their systems are compromised and take immediate action to isolate affected data or toolchains [1]. This incident serves as a reminder of the ongoing need for robust cybersecurity measures and proactive threat detection and response strategies.
References
[1] https://www.infosecurity-magazine.com/news/water-hydras-zero-day-financial/
[2] https://duo.com/decipher/apt-exploits-microsoft-zero-day-in-malware-attacks
[3] https://cybersecuritynews.com/water-hydra-smartscreen-zero-day-flaw/
[4] https://www.helpnetsecurity.com/2024/02/13/cve-2024-21412-cve-2024-21351/
[5] https://www.techradar.com/pro/security/a-new-windows-defender-zero-day-is-already-being-exploited-to-drop-dangerous-malware
