Monday, July 8, 2024

Microsoft SmartScreen vulnerability can be abused to deploy malware, and its happening in the wild

Hackers are actively exploiting a known vulnerability in Microsoft SmartScreen to deploy malware.

A report from cybersecurity researchers Cyble has urged users to apply the patch immediately, since Microsoft addressed this problem months ago.

Microsoft SmartScreen is a security feature the cimpany integrated into a range of different products, including Windows, Microsoft Edge, and Outlook. By analyzing websites and downloaded files, it provides protection against phishing and malware attacks.

Lumma and Meduza Stealer

However, in mid-January 2024, The Zero Day Initiative (ZDI) observed threat actors abusing a flaw in the feature to deliver the DarkGate commodity loader. The vulnerability is now tracked as CVE-2024-21412, and is described as an “internet shortcut files security feature bypass vulnerability”. In other words, threat actors can bypass SmartScreen’s security features by having victims click on specially crafted internet links. 

Microsoft issued a patch for the vulnerability on February 13 this year, but it seems that many users did not apply it and remain vulnerable. They are now being targeted by crooks looking to deploy multiple infostealers.

This new campaign starts with phishing emails, seemingly coming from trusted sources. They carry internet shortcuts hosted on a remote WebDAV share which, if clicked, execute another .LNK file hosted on the same share, triggering the infection chain. The chain ends with the victims being infected with Lumma and Meduza Stealer.

These are popular infostealers that can grab people’s passwords, cookies, credit card information, cryptowallet data, VPN credentials, FTP credentials, browser autofill data, sensitive documents, screenshots, system information, and more. 

The researchers don’t know exactly how many people fell prey to this campaign. They do know that the threat actors are targeting a wide array of individuals and organizations in different regions and sectors. Based on the fake documents being spread in the phishing emails, the attackers are going after people in Spain, the United States, and Australia.

More from TechRadar Pro



from TechRadar - All the latest technology news https://ift.tt/gdhAucU

No comments:

Post a Comment

Elon Musk’s xAI supercomputer gets 150MW power boost despite concerns over grid impact and local power stability

Elon Musk's xAI supercomputer gets power boost amid concerns 150MW approval raises questions about grid reliability in Tennessee Lo...