CISA Alerts on Windows Flaw Exploited by Void Banshee APT Group

September 16, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed federal agencies to bolster their systems against a Windows MSHTML spoofing bug recently patched. The bug, identified as CVE-2024-43461, was exploited by the Void Banshee APT group. Initially, Microsoft categorized the bug as not exploited in attacks. However, the company updated its advisory to confirm that the bug had been exploited before its patch. Microsoft disclosed that the attackers exploited CVE-2024-43461 before July 2024 in conjunction with CVE-2024-38112, another MSHTML spoofing bug.

"We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain," Microsoft stated. To ensure full protection, customers were advised to apply both the July 2024 and September 2024 security updates.

Peter Girnus, a threat researcher from the Trend Micro Zero Day Initiative (ZDI), reported that the Void Banshee group exploited the vulnerability in zero-day attacks to install information-stealing malware. The vulnerability allows remote attackers to execute arbitrary code on unpatched Windows systems by tricking users into visiting a maliciously crafted webpage or opening a harmful file.

The ZDI advisory explained, "A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user." The attackers used CVE-2024-43461 exploits to deliver malicious HTA files disguised as PDF documents, hiding the .hta extension with 26 encoded braille whitespace characters (%E2%A0%80).

The Atlantida information-stealing malware, revealed by Check Point Research and Trend Micro in July, was deployed in these attacks. This malware can steal passwords, authentication cookies, and cryptocurrency wallets from infected devices. Void Banshee, an APT group first identified by Trend Micro, is known for targeting organizations across North America, Europe, and Southeast Asia for financial gain and data theft.

CISA has now added the MSHTML spoofing vulnerability to its Known Exploited Vulnerabilities catalog, marking it as actively exploited and instructing federal agencies to secure vulnerable systems by October 7, as required by Binding Operational Directive (BOD) 22-01. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the cybersecurity agency said. Although CISA's catalog primarily alerts federal agencies about security flaws that should be patched promptly, private organizations worldwide are also advised to prioritize mitigating this vulnerability to prevent ongoing attacks.

Microsoft patched three other actively exploited zero-days in the September 2024 Patch Tuesday, including CVE-2024-38217, a vulnerability exploited in LNK stomping attacks since at least 2018 to bypass the Smart App Control and the Mark of the Web (MotW) security feature.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.