Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs

The Water Hydra cyberattacker group is one adversary using the zero-days to get past built-in Windows protections.

4 Min Read
Laptop screen showing paused Windows update process
Source: CC Photo Labs via Shutterstock

Microsoft's scheduled Patch Tuesday security update for February includes fixes for two zero-day security vulnerabilities under active attack, plus 71 other flaws across a wide range of its products.

In all, five of the vulnerabilities for which Microsoft issued a February patch were rated as critical, 66 as important, and two as moderate.

The update includes patches for Microsoft Office, Windows, Microsoft Exchange Server, the company's Chromium-based Edge browser, Azure Active Directory, Microsoft Defender for Endpoint, and Skype for business. Tenable identified 30 of the 73 CVEs as remote code execution (RCE) vulnerabilities; 16 as enabling privilege escalation; 10 as tied to spoofing errors; nine as enabling distributed denial-of-service attacks; five as information disclosure flaws; and three as security bypass issues.

Water Hydra Exploits Zero-Days Targeting Financial Traders

A threat actor dubbed as Water Hydra (aka Dark Casino) is currently leveraging one of the zero-day vulnerabilities — an Internet Shortcut Files security feature bypass vulnerability tracked as CVE-2024-21412 (CVSS 8.1) — in a malicious campaign targeting organizations in the financial sector.

Researchers at Trend Micro — among several who discovered and reported the flaw to Microsoft — described it as tied to a bypass of a previously patched SmartScreen vulnerability (CVE-2023-36025, CVSS 8.8) and affecting all supported Windows versions. Water Hydra actors are using CVE-2024-21412 to gain initial access to systems belonging to financial traders and drop the DarkMe remote access Trojan on them.

To exploit the vulnerability, an attacker would first need to deliver a malicious file to a targeted user and get them to open it, said Saeed Abbasi, manager of vulnerability researcher at Qualys, in emailed commentary. "The impact of this vulnerability is profound, compromising security and undermining trust in protective mechanisms like SmartScreen," Abbasi said.

SmartScreen Bypass Zero-Day

The other zero-day that Microsoft disclosed in this month's security update affects Defender SmartScreen. According to Microsoft, CVE-2024-21351 is a medium-severity bug that allows an attacker to bypass SmartScreen protections and inject code into it to potentially gain remote code execution capabilities. A successful exploit could lead to limited data exposure, systems availability issues, or both, Microsoft said. No details are available on who exactly might be exploiting the bug and for what purpose.

In prepared comments for Dark Reading, Mike Walters, president and co-founder of Action1, said the vulnerability is tied to the manner in which Microsoft's Mark of the Web (a feature for identifying untrusted content from the Internet) interacts with the SmartScreen feature. "For this vulnerability, an attacker must distribute a malicious file to a user and persuade them to open it, allowing them to circumvent the SmartScreen checks and potentially compromise the system's security," Walters said.

High-Priority Bugs

Among the five critical vulnerabilities in the February update, the one that requires priority attention is CVE-2024-21410, a privilege escalation vulnerability in Exchange Server, a favorite target for attackers. An attacker could use the bug to disclose a targeted user's Net-New Technology LAN Manager (NTLM) version 2 hash and then relay that credential against an affected Exchange Server and authenticate to it as the user.

Flaws like this that disclose sensitive information like NTLM hashes can be very valuable to attackers, said Satnam Narang, senior staff research engineer at Tenable in a statement. "A Russian-based threat actor leveraged a similar vulnerability to carry out attacks — CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023," he said.

To patch the flaw, Exchange admins will need to ensure they have installed Exchange Server 2019 Cumulative Update 14 (CU14) update and ensure the Extended Protection for Authentication (EPA) feature is enabled, Trend Micro said. The security vendor pointed to an article that Microsoft has published that provides additional information on how to patch the vulnerability.

Microsoft has assigned CVE-2024-21410 a maximum severity rating of 9.1 out of 10, which makes it a critical vulnerability. But typically privilege escalation vulnerabilities tend to score relatively low on the CVSS vulnerability rating scale which belies the true nature of the threat they present, said Kev Breen, senior director of threat research at Immersive Labs. "Despite their low score, [privilege escalation] vulnerabilities are highly sought after by threat actors and used in almost every cyber incident," Breen said in a statement. "Once an attacker has access to a user account through social engineering or some other attack, they will next seek to escalate their permissions either to local admin or domain admin."

Walters from Action1 highlighted CVE-2024-21413, an RCE flaw in Microsoft Outlook as a vulnerability that administrators might want to prioritize from February's batch. The critical severity flaw with a near maximum severity score of 9.8 involves low attack complexity, no user interaction, and no special privileges required for an attacker to exploit it. "An attacker can exploit this vulnerability via the preview pane in Outlook, allowing them to circumvent Office Protected View and force files to open in edit mode, rather than in the safer protected mode," Walters said.

Microsoft itself identified the vulnerability as something that attackers are less likely to attack. Nevertheless, Walters said the vulnerability poses a substantial threat for organizations and requires prompt attention.

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights