Thursday , April 24 2025
cyble

Threat Actors Exploit Microsoft SmartScreen Vulnerability: Cyble

Cyble Analyzes An Active Campaign Exploiting A Microsoft SmartScreen Vulnerability To Deliver Stealers Via Spam Emails.

Key findings:

SonicWall patched SSLVPN Vuln Allowing Firewall Crashing

SonicWall has revealed a vulnerability in its SonicOS SSLVPN Virtual Office interface that could let remote attackers crash firewall appliances....
Read More
SonicWall patched SSLVPN Vuln Allowing Firewall Crashing

GitLab Releases Security Update For Multiple Vulns

GitLab has announced a security advisory urging users to upgrade their self-managed installations right away. Versions 17.11.1, 17.10.5, and 17.9.7...
Read More
GitLab Releases Security Update For Multiple Vulns

ISPAB president “whatsapp” got hacked via phishing link

Imdadul Haque, the president of Internet Service Provider of Bangladesh (ISPAB) said, I automatically got back my WhatsApp account. What...
Read More
ISPAB president “whatsapp” got hacked via phishing link

Zyxel released patches 2 vulns in its USG FLEX H series firewalls

Zyxel Networks has issued critical security patches for two high-severity vulnerabilities in its USG FLEX H series firewalls. These flaws...
Read More
Zyxel released patches 2 vulns in its USG FLEX H series firewalls

South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked

South Korea's largest mobile operator, SK Telecom, is warning that a malware infection allowed threat actors to access sensitive USIM-related...
Read More
South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked

ChatGPT Develops Exploit for CVEs Before Public PoCs Share

Security researcher Matt Keeley showed that artificial intelligence can now develop working exploits for critical vulnerabilities before public proof-of-concept (PoC)...
Read More
ChatGPT Develops Exploit for CVEs Before Public PoCs Share

TP-Link Router Vulns Allow to Execute Malicious SQL Commands

Several vulnerabilities have been found in TP-Link routers, exposing users to serious security risks from SQL injection flaws in their...
Read More
TP-Link Router Vulns Allow to Execute Malicious SQL Commands

SSL.com’s domain validation system’s bug found: Hacker exploited

SSL.com has revealed a major security flaw in its domain validation system, which could enable attackers to acquire fake SSL...
Read More
SSL.com’s domain validation system’s bug found: Hacker exploited

Amazon Follows Microsoft’s Lead, Halts Some Data Center Deals

Amazon has paused some data center lease negotiations for its cloud division, particularly in international markets, according to Wells Fargo...
Read More
Amazon Follows Microsoft’s Lead, Halts Some Data Center Deals

Hackers Exploit Zoom’s Remote Control Feature for System Access

ELUSIVE COMET is a threat actor conducting a sophisticated attack campaign that uses Zoom's remote control feature to access victims'...
Read More
Hackers Exploit Zoom’s Remote Control Feature for System Access

 * Cyble Research and Intelligence Labs (CRIL) recently came across an active campaign exploiting the Microsoft SmartScreen vulnerability (CVE-2024-21412).

* The ongoing campaign targets multiple regions, including Spain, the US, and Australia.

* It uses fake healthcare insurance, transportation, and tax messages to trick people and companies into downloading harmful files onto their computers.

* Users are tricked into opening a spam email and clicking on a link that takes them to a WebDAV share. They are then deceived into running a harmful internet shortcut file, which takes advantage of a vulnerability known as CVE-2024-21412.

The attackers used various legitimate tools like forfiles.exe, PowerShell, mshta, and other trusted files to bypass security measures during their multi-stage attack. The attack chain utilizes DLL sideloading and IDATLoader to inject the final payload into explorer.exe. This campaign delivers Lumma and Meduza Stealer as its final payloads.

In January 2024, a campaign called DarkGate was discovered by the Zero Day Initiative (ZDI). It used fake software installers and took advantage of a vulnerability called CVE-2024-21412. On February 13, 2024, Microsoft released a patch to fix a vulnerability in Microsoft Defender SmartScreen that was exploited by DarkGate. Following this, a group called Water Hydra, also known as an APT group, used the same vulnerability to target financial market traders. They bypassed SmartScreen and distributed a remote access trojan called DarkMe.

CRIL found a campaign that misused internet shortcuts. In this campaign, TAs used a vulnerability to get around Microsoft Defender SmartScreen and install harmful software on victims’ computers.

The infection begins with a deceptive email that looks like it comes from someone you trust. The email is designed to tempt you into clicking a link, which leads you to open an internet shortcut file on a remote WebDAV share. When you open this file, it takes advantage of a vulnerability called CVE-2024-21212 and runs another file on the same WebDAV share, starting the infection process.

Cyble researchers reported that threat actors have been using a vulnerability to bypass Microsoft Defender SmartScreen and install harmful programs on victims’ computers.

The campaign targets Spanish taxpayers, transportation companies, and individuals in Australia using lure documents. These documents mimic emails from the U.S. Department of Transportation and official Medicare enrollment forms. full report here.

Source: Cyble

Check Also

Australian Cyber Security Centre Alert for Fortinet Products

The Australian Cyber Security Centre (ACSC) has alerted technical users in both private and public …

Leave a Reply

Your email address will not be published. Required fields are marked *