Attackers Have Been Leveraging Microsoft Zero-Day for 18 Months

Threat actors may have been exploiting one of the zero-day bugs that Microsoft patched in its July security update for at least 18 months prior to patch release.

Though the vulnerability (CVE-2024-38112) affects the MSHTML (Trident) engine for the now retired Internet Explorer (IE) browser, newer Windows 10 and Windows 11 systems — where Edge is the default browser — are also susceptible to attacks targeting the flaw.

Novel Exploit Chain

Haifei Li, a security researcher at Check Point, discovered and reported the flaw to Microsoft in May. In a recent blog post, Li described CVE-2024-38112 as allowing an attacker to send victims specially crafted Internet Shortcut files (aka URL files) which, when clicked, would use IE — even if not the default browser — to open an attacker-controlled URL. In attacks that Check Point has observed, the threat actor combined the flaw exploit with another novel IE trick for hiding dangerous HTML application files (or .hta files) in the guise of a benign looking PDF document.

"To summarize the attacks from the exploitation perspective: The first technique used in these campaigns is [a] trick, which allows the attacker to call IE instead of the more secure Chrome/Edge," Li wrote. "The second technique is an IE trick to make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application."

In a worst case scenario, the vulnerability could allow an attacker to run ransomware, spyware, and other arbitrary code on the victim's machine, says Eli Smadja, research group manager at Check Point.  

Exploited in Targeted Infostealer Campaigns?

Smadja says Check Point's analysis of attacks targeting the flaw are still ongoing. However, an initial analysis has shown at least two likely different threat actors are exploiting CVE-2024-38112 in concurrent campaigns, targeting individuals in Vietnam and Turkey. One of the campaigns involves attempts by the attacker to drop the Atlantida information stealer on targeted victims in the two countries.

"This actor exploits compromised WordPress platforms to execute attacks using HTA and PowerShell files, which eventually deploy the Atlantida stealer on target machines," Smajda says. "We believe there may be additional, undiscovered incidents driven by cybercriminal motives," he says.

Rapid7 earlier this year identified Atlantida as malware that enables theft of credential information, cryptocurrency wallet data, browser data, screen information, hardware data, and other information from compromised systems.

Microsoft described CVE-2024-38112 as a spoofing vulnerability that could have a high impact on system confidentiality, integrity, and availability if successfully exploited. The company however has assigned it only a moderately high severity rating of 7.5 out of 10, based on, among other things, the fact that an attacker would need to convince a victim to interact with the weaponized URL file for any attack to work.

The US Cybersecurity and Infrastructure Security Agency (CISA) has already added CVE-2024-38112 to its catalog of known exploited vulnerabilities (KEV) and has urged organizations to apply Microsoft's mitigations for the vulnerability. Federal civilian executive branch agencies have until July 30 to remediate the issue or discontinue use of affected products until they have fixed the issue.

The Trident bug is one of two zero-days from Microsoft's July update that CISA has added to its KEV catalog. The other is CVE-2024-38080, a privilege escalation flaw in Microsoft Windows Hyper-V virtualization technology. Microsoft has said the vulnerability allows an attacker with local access to acquire system-level privileges.

In all, Microsoft released fixes for a total of 139 vulnerabilities in its products, making the July update larger in CVE volume than the company's updates for May and June combined.