Friday , July 12 2024
cyble

Threat Actors Exploit Microsoft SmartScreen Vulnerability: Cyble

Cyble Analyzes An Active Campaign Exploiting A Microsoft SmartScreen Vulnerability To Deliver Stealers Via Spam Emails.

Key findings:

CVE-2024-5910
Critical Vulnerability Threatens Palo Alto Networks’ Expedition

Palo Alto Networks has issued a critical security advisory outlining numerous vulnerabilities across its product lines, such as PAN-OS, Cortex...
Read More
CVE-2024-5910  Critical Vulnerability Threatens Palo Alto Networks’ Expedition

Vulnerabilities in GitLab Allows Attackers to Execute Unauthorized Pipelines

GitLab has issued a warning about a serious vulnerability in its GitLab Community and Enterprise editions. This vulnerability allows attackers...
Read More
Vulnerabilities in GitLab Allows Attackers to Execute Unauthorized Pipelines

Adobe Issues Critical Security Patches for Various Products

Adobe released security updates to fix several vulnerabilities in their software. These vulnerabilities could be used by cyber attackers to...
Read More
Adobe Issues Critical Security Patches for Various Products

CISA Warns Hacker Use OS Command Injection Vulnerabilities to Compromise Systems

OS command injection vulnerabilities are a preventable type of weakness in software. Manufacturers can eliminate them by taking a secure...
Read More
CISA Warns Hacker Use OS Command Injection Vulnerabilities to Compromise Systems

Pakistan allows spy agency to intercept phone messages, calls

The Pakistan Ministry of Information Technology and Telecommunication has given permission to the Inter-Services Intelligence (ISI) to intercept citizens’ phone...
Read More
Pakistan allows spy agency to intercept phone messages, calls

Citrix Issues Critical Security Advisory for NetScaler

Citrix has warned users about severe vulnerabilities in their widely-used NetScaler products. These vulnerabilities, known as CVE-2024-6235 and CVE-2024-6236, could...
Read More
Citrix Issues Critical Security Advisory for NetScaler

(CVE-2024-38080, CVE-2024-38112)
Microsoft July Patch Tuesday fixes 142 flaws, 4 zero-days

Microsoft's July 2024 Patch Tuesday includes security updates for 142 flaws, including two zero-days that are actively exploited and two...
Read More
(CVE-2024-38080, CVE-2024-38112)  Microsoft July Patch Tuesday fixes 142 flaws, 4 zero-days

EXCLUSIVE
Analysis of 3 Ransomware Threats Active Right Now

Three emerging threats will be discussed below, along with how sandbox analysis can be utilized to detect them proactively. Lockbit...
Read More
EXCLUSIVE  Analysis of 3 Ransomware Threats Active Right Now

AVAST RELEASED DECRYPTOR FOR DONEX RANSOMWARE

Avast researchers found a security flaw in the DoNex ransomware and its previous versions, which allowed them to create a...
Read More
AVAST RELEASED DECRYPTOR FOR DONEX RANSOMWARE

Critical Security Advisory for Apache CloudStack

The Apache Software Foundation has warned about two serious security issues (CVE-2024-38346 and CVE-2024-39864) in Apache CloudStack, a popular open-source...
Read More
Critical Security Advisory for Apache CloudStack

 * Cyble Research and Intelligence Labs (CRIL) recently came across an active campaign exploiting the Microsoft SmartScreen vulnerability (CVE-2024-21412).

* The ongoing campaign targets multiple regions, including Spain, the US, and Australia.

* It uses fake healthcare insurance, transportation, and tax messages to trick people and companies into downloading harmful files onto their computers.

* Users are tricked into opening a spam email and clicking on a link that takes them to a WebDAV share. They are then deceived into running a harmful internet shortcut file, which takes advantage of a vulnerability known as CVE-2024-21412.

The attackers used various legitimate tools like forfiles.exe, PowerShell, mshta, and other trusted files to bypass security measures during their multi-stage attack. The attack chain utilizes DLL sideloading and IDATLoader to inject the final payload into explorer.exe. This campaign delivers Lumma and Meduza Stealer as its final payloads.

In January 2024, a campaign called DarkGate was discovered by the Zero Day Initiative (ZDI). It used fake software installers and took advantage of a vulnerability called CVE-2024-21412. On February 13, 2024, Microsoft released a patch to fix a vulnerability in Microsoft Defender SmartScreen that was exploited by DarkGate. Following this, a group called Water Hydra, also known as an APT group, used the same vulnerability to target financial market traders. They bypassed SmartScreen and distributed a remote access trojan called DarkMe.

CRIL found a campaign that misused internet shortcuts. In this campaign, TAs used a vulnerability to get around Microsoft Defender SmartScreen and install harmful software on victims’ computers.

The infection begins with a deceptive email that looks like it comes from someone you trust. The email is designed to tempt you into clicking a link, which leads you to open an internet shortcut file on a remote WebDAV share. When you open this file, it takes advantage of a vulnerability called CVE-2024-21212 and runs another file on the same WebDAV share, starting the infection process.

Cyble researchers reported that threat actors have been using a vulnerability to bypass Microsoft Defender SmartScreen and install harmful programs on victims’ computers.

The campaign targets Spanish taxpayers, transportation companies, and individuals in Australia using lure documents. These documents mimic emails from the U.S. Department of Transportation and official Medicare enrollment forms. full report here.

Source: Cyble

Check Also

open source software

CISA Plans to Measure Trust in Open-Source Software

The United States cyber defense agency is creating a new framework to answer a critical …

Leave a Reply

Your email address will not be published. Required fields are marked *