Microsoft has mounted two actively exploited zero-day vulnerabilities in the course of the April 2024 Patch Tuesday, though the corporate didn’t initially tag them as such.
The primary, tracked as CVE-2024-26234 and described as a proxy driver spoofing vulnerability, was issued to trace a malicious driver signed utilizing a sound Microsoft {Hardware} Writer Certificates that was discovered by Sophos X-Ops in December 2023 and reported by crew lead Christopher Budd.
This malicious file was labeled as “Catalog Authentication Consumer Service” by “Catalog Thales,” seemingly an try and impersonate Thales Group. Nonetheless, additional investigation revealed that it was beforehand bundled with a advertising and marketing software program known as LaiXi Android Display screen Mirroring.
Whereas Sophos could not confirm the authenticity of LaiXi software program, Budd says they’re assured the file is a malicious backdoor.
“Simply as we did in 2022, we instantly reported our findings to the Microsoft Safety Response Heart. After validating our discovery, the crew at Microsoft has added the related recordsdata to its revocation record (up to date right now as a part of the same old Patch Tuesday cycle; see CVE-2024-26234),” Budd stated.
Sophos’ findings verify and construct upon data shared in a January report by cybersecurity firm Stairwell and a tweet by reverse engineering knowledgeable Johann Aydinba.
Since its launch earlier right now, Redmond has up to date the advisory to appropriate CVE-2024-26234’s exploitation standing, confirming it as exploited within the wild and publicly disclosed.
Sophos reported different malicious drivers signed with legit WHCP certificates in July 2023 and December 2022, however for these, Microsoft printed safety advisories as an alternative of issuing CVE-IDs like right now.
MotW bypass exploited in malware assaults
The second zero-day silently patched right now by Microsoft is tracked as CVE-2024-29988 and described as a SmartScreen immediate safety function bypass vulnerability brought on by a safety mechanism failure weak point.
CVE-2024-29988 is a bypass for the CVE-2024-21412 flaw and was reported by Peter Girnus of Pattern Micro’s Zero Day Initiative and Google’s Risk Evaluation Group Dmitrij Lenz and Vlad Stolyarov.
ZDI’s Head of Risk Consciousness Dustin Childs tagged it as actively utilized in assaults to deploy malware on focused Home windows programs after evading EDR/NDR detection and bypassing the Mark of the Net (MotW) function.
“This vulnerability is said to CVE-2024-21412, which was found by ZDI risk researchers within the wild and first addressed in February,” Childs informed BleepingComputer.
“The primary patch didn’t utterly resolve the vulnerability. This replace addresses the second a part of the exploit chain. Microsoft didn’t point out they had been patching this vulnerability, so it was a (welcome) shock when the patch went reside.”
The financially motivated Water Hydra hacking group that exploits CVE-2024-29988 additionally used CVE-2024-21412 as a zero-day on New Yr’s Eve to focus on foreign currency trading boards and inventory buying and selling Telegram channels in spearphishing assaults that deployed the DarkMe distant entry trojan (RAT).
CVE-2024-21412 was itself a bypass for an additional Defender SmartScreen vulnerability tracked as CVE-2023-36025, patched in the course of the November 2023 Patch Tuesday and exploited as a zero-day to drop Phemedrone malware.
As we speak, Microsoft launched safety updates for 150 vulnerabilities as a part of April 2024’s Patch Tuesday, 67 of which had been distant code execution bugs.
A Microsoft spokesperson could not instantly present a press release when contacted by BleepingComputer earlier right now.