February 13, 2024 at 03:16PM
Water Hydra exploited the zero-day Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) targeting financial market traders. The Trend Micro Zero Day Initiative discovered and disclosed this, cooperating with Microsoft to ensure a rapid patch. Water Hydra also used similar tactics in a campaign targeting traders. The group’s attack patterns reflect high levels of technical sophistication.
From the provided meeting notes, it’s understood that the APT group Water Hydra has been exploiting the zero-day Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in campaigns targeting financial market traders. The vulnerability has now been patched by Microsoft, following its discovery and disclosure by the Trend Micro Zero Day Initiative.
The Water Hydra group was first detected in 2021, targeting the financial industry, including banks, cryptocurrency platforms, forex and stock trading platforms, gambling sites, and casinos worldwide. Initially, its attacks were attributed to the Evilnum APT group due to similar phishing techniques and other tactics. However, Water Hydra later emerged as its own APT group distinct from Evilnum.
Water Hydra’s attack patterns demonstrate significant levels of technical skill and sophistication, including the use of undisclosed zero-day vulnerabilities in attack chains. The group has successfully exploited other vulnerabilities in the past and also showcased the ability to evade security patches by identifying new attack vectors.
The meeting notes also highlight the infection chain and tactics, techniques, and procedures (TTPs) employed by Water Hydra, including spearphishing campaigns on forex trading forums and stock trading Telegram channels. The group used social engineering techniques to lure potential traders into infecting themselves with DarkMe malware.
Furthermore, the meeting notes include an extensive analysis of the DarkMe malware, detailing its functionality, capabilities, and communication with its command-and-control (C&C) server.
The notes also emphasize the ongoing efforts by the Zero Day Initiative to work with security researchers and vendors to responsibly disclose software vulnerabilities and patch them before APT groups can deploy them in attacks.
Finally, the notes provide indicators of compromise, acknowledgments, and various protections and detection rules to help organizations protect themselves from such attacks.
Let me know if any further details or specific takeaways are needed from these meeting notes!