Microsoft has fastened two actively exploited zero-day vulnerabilities throughout the April 2024 Patch Tuesday, though the corporate did not initially tag them as such.
The primary, tracked as CVE-2024-26234 and described as a proxy driver spoofing vulnerability, was issued to trace a malicious driver signed utilizing a legitimate Microsoft {Hardware} Writer Certificates that was discovered by Sophos X-Ops in December 2023 and reported by crew lead Christopher Budd.
This malicious file was labeled as “Catalog Authentication Client Service” by “Catalog Thales,” doubtless an try to impersonate Thales Group. Nonetheless, additional investigation revealed that it was beforehand bundled with a advertising and marketing software program referred to as LaiXi Android Display Mirroring.
Whereas Sophos could not confirm the authenticity of LaiXi software program, Budd says they’re assured the file is a malicious backdoor.
“Just as we did in 2022, we immediately reported our findings to the Microsoft Security Response Center. After validating our discovery, the team at Microsoft has added the relevant files to its revocation list (updated today as part of the usual Patch Tuesday cycle; see CVE-2024-26234),” Budd mentioned.
Sophos’ findings affirm and construct upon info shared in a January report by cybersecurity firm Stairwell and a tweet by reverse engineering skilled Johann Aydinba.
Since its launch earlier as we speak, Redmond has up to date the advisory to appropriate CVE-2024-26234’s exploitation standing, confirming it as exploited within the wild and publicly disclosed.
Sophos reported different malicious drivers signed with reliable WHCP certificates in July 2023 and December 2022, however for these, Microsoft revealed safety advisories as an alternative of issuing CVE-IDs like as we speak.
MotW bypass exploited in malware assaults
The second zero-day silently patched as we speak by Microsoft is tracked as CVE-2024-29988 and described as a SmartScreen immediate safety function bypass vulnerability brought on by a safety mechanism failure weak point.
CVE-2024-29988 is a bypass for the CVE-2024-21412 flaw and was reported by Peter Girnus of Development Micro’s Zero Day Initiative and Google’s Risk Evaluation Group Dmitrij Lenz and Vlad Stolyarov.
ZDI’s Head of Risk Consciousness Dustin Childs tagged it as actively utilized in assaults to deploy malware on focused Home windows methods after evading EDR/NDR detection and bypassing the Mark of the Net (MotW) function.
“This vulnerability is related to CVE-2024-21412, which was discovered by ZDI threat researchers in the wild and first addressed in February,” Childs advised BleepingComputer.
“The first patch did not completely resolve the vulnerability. This update addresses the second part of the exploit chain. Microsoft did not indicate they were patching this vulnerability, so it was a (welcome) surprise when the patch went live.”
The financially motivated Water Hydra hacking group that exploits CVE-2024-29988 additionally used CVE-2024-21412 as a zero-day on New 12 months’s Eve to focus on foreign currency trading boards and inventory buying and selling Telegram channels in spearphishing assaults that deployed the DarkMe distant entry trojan (RAT).
CVE-2024-21412 was itself a bypass for an additional Defender SmartScreen vulnerability tracked as CVE-2023-36025, patched throughout the November 2023 Patch Tuesday and exploited as a zero-day to drop Phemedrone malware.
Right this moment, Microsoft launched safety updates for 150 vulnerabilities as a part of April 2024’s Patch Tuesday, 67 of which have been distant code execution bugs.
A Microsoft spokesperson could not instantly present an announcement when contacted by BleepingComputer earlier as we speak.
