August 16, 2024 at 06:10AM
Trend Micro’s Zero Day Initiative (ZDI) revealed a zero-day vulnerability, CVE-2024-38213, named Copy2Pwn, which cybercriminals exploited to bypass Windows protections. Microsoft fixed this flaw in June 2024 but only disclosed it in August. ZDI discovered it during the analysis of attacks by a threat group named Water Hydra for bypassing Defender SmartScreen via WebDAV shares.
Based on the meeting notes, the key takeaways are:
1. Trend Micro’s Zero Day Initiative (ZDI) uncovered a zero-day vulnerability, tracked as CVE-2024-38213 and named Copy2Pwn, which allowed cybercriminals to bypass Windows protections.
2. Microsoft fixed the CVE-2024-38213 vulnerability in June 2024, but it was only disclosed when the company released the August 2024 Patch Tuesday updates. This vulnerability was one of six zero-days disclosed in the update.
3. ZDI’s threat hunting team identified CVE-2024-38213 during its investigation into the DarkGate campaign, conducted by a threat group named Water Hydra and DarkCasino, which had previously exploited another zero-day (CVE-2024-21412) to bypass Windows protections in attacks targeting financial market traders.
4. The CVE-2024-38213 vulnerability can be exploited to bypass Defender SmartScreen, which safeguards Windows users against phishing, malware, and other potentially malicious files downloaded from the internet. The vulnerability is related to how files from WebDAV shares are handled during copy/paste operations.
5. Cybercriminals could exploit the Copy2Pwn flaw by copying and pasting files from a WebDAV share onto their desktop, allowing them to open these files without the protections of Windows Defender SmartScreen or Microsoft Office Protected View, circumventing reputation and signature checks on executables.
The meeting notes also mention related topics, such as Zero-Click Exploit Concerns, Windows Zero-Day Exploits, and APTs leveraging Windows Zero-Day vulnerabilities, which could be further areas of interest for additional analysis or action.