Microsoft Addresses Two Exploited Zero-Days in April 2024 Patch Tuesday

April 9, 2024

Microsoft has remedied two zero-day vulnerabilities that were being actively leveraged in malware attacks. The vulnerabilities, initially not recognized as zero-days, were rectified during the April 2024 Patch Tuesday. The flaws are identified as CVE-2024-26234, a proxy driver spoofing vulnerability, and CVE-2024-29988, a SmartScreen prompt security feature bypass vulnerability.

The first vulnerability, CVE-2024-26234, was discovered by Sophos X-Ops in December 2023 and reported by team lead Christopher Budd. The team found a malicious driver signed with a legitimate Microsoft Hardware Publisher Certificate. The driver was disguised as 'Catalog Authentication Client Service' by 'Catalog Thales', presumably to mimic Thales Group. However, upon further investigation, it was found to have been previously bundled with a marketing software called LaiXi Android Screen Mirroring. While the authenticity of the LaiXi software could not be confirmed, the team was confident that the file was a malicious backdoor. Christopher Budd stated, 'Just as we did in 2022, we immediately reported our findings to the Microsoft Security Response Center. After validating our discovery, the team at Microsoft has added the relevant files to its revocation list (updated today as part of the usual Patch Tuesday cycle; see CVE-2024-26234).'

The second zero-day flaw silently patched by Microsoft is CVE-2024-29988, a SmartScreen prompt security feature bypass vulnerability. This flaw was reported by Peter Girnus of Trend Micro's Zero Day Initiative and Google's Threat Analysis Group's Dmitrij Lenz and Vlad Stolyarov. The flaw was being actively exploited to deploy malware on targeted Windows systems, bypassing EDR/NDR detection and the Mark of the Web (MotW) feature. Dustin Childs, Head of Threat Awareness at ZDI, revealed that the flaw was related to CVE-2024-21412, discovered by ZDI threat researchers and first addressed in February. 'The first patch did not completely resolve the vulnerability. This update addresses the second part of the exploit chain. Microsoft did not indicate they were patching this vulnerability, so it was a (welcome) surprise when the patch went live,' Childs stated.

The Water Hydra hacking group, known for its financially motivated attacks, exploited CVE-2024-29988 in combination with CVE-2024-21412 as a zero-day on New Year’s Eve to target forex trading forums and stock trading Telegram channels, deploying the DarkMe remote access trojan (RAT). CVE-2024-21412 was itself a bypass for another Defender SmartScreen vulnerability, CVE-2023-36025, patched during the November 2023 Patch Tuesday and exploited as a zero-day to deploy the Phemedrone malware.

Microsoft issued security updates for 150 vulnerabilities as part of April 2024's Patch Tuesday, 67 of which were remote code execution bugs.

Related News

• Microsoft's Record-Breaking Patch Tuesday: 147 New CVEs, No Zero-Days, but an Active Exploit
• Mispadu Banking Trojan Spreads Across Europe, Compromising Thousands of Credentials
• DarkGate Malware Campaign Exploits Recently Patched Microsoft Vulnerability in Zero-Day Attack
• CISA Adds Two Microsoft Windows Bugs to Its Known Exploited Vulnerabilities Catalog
• Windows Defender Zero-Day Exploited to Deliver DarkMe RAT: Microsoft Issues Patch

Latest News

• Microsoft's Record-Breaking Patch Tuesday: 147 New CVEs, No Zero-Days, but an Active Exploit
• Over 92,000 D-Link NAS Devices Vulnerable to Backdoor Exploitation
• Cisco Issues Warning About XSS Vulnerability in End-of-Life Small Business Routers
• Magecart Cybercriminals Employ Innovative E-Commerce Backdoor Exploiting CVE-2024-20720
• Cisco Alerts on Unpatched Vulnerability in Obsolete Small Business Routers