Breaking News: Microsoft Resolves Critical Security Threats Affecting Windows Users


    In April 2024, Microsoft announced the resolution of two zero-day vulnerabilities that were actively being exploited. However, the company initially failed to categorize them as such.

    The first vulnerability, identified as CVE-2024-26234, is described as a proxy driver spoofing flaw and was identified after Sophos X-Ops discovered a malicious driver signed with a valid Microsoft Hardware Publisher Certificate. The discovery was reported by team lead Christopher Budd in December 2023.

    The malicious driver, labeled as “Catalog Authentication Client Service” by “Catalog Thales,” appears to be an attempt at impersonating Thales Group. However, further investigation revealed that the driver was previously bundled with a marketing software called LaiXi Android Screen Mirroring.

    While Sophos could not verify the authenticity of the LaiXi software, Budd stated that they are confident that the file is a malicious backdoor.

    “As we did in 2022, we immediately reported our findings to the Microsoft Security Response Center. After conducting their own investigation, the Microsoft team has added the relevant files to its revocation list (which was updated today as part of the usual Patch Tuesday cycle; see CVE-2024-26234),” said Budd.

    Sophos’ findings confirm and expand upon information shared in a January report by cybersecurity company Stairwell and a tweet by reverse engineering expert Johann Aydinba.

    Since its release earlier today, the advisory has been updated by Microsoft to reflect CVE-2024-26234’s exploited status, confirming that it has been used in real-world attacks and publicly disclosed.

    Sophos also reported other malicious drivers that have been signed with legitimate WHCP certificates in July 2023 and December 2022. However, for these cases, Microsoft published security advisories instead of issuing CVE-IDs as they did today.

    Exploitation of MotW Bypass in Malware Attacks

    The second zero-day vulnerability that was quietly patched by Microsoft today is identified as CVE-2024-29988. It is described as a SmartScreen prompt security feature bypass caused by a weakness in the protection mechanism.

    CVE-2024-29988 is a bypass for the previous vulnerability, CVE-2024-21412, which was discovered by Peter Girnus of Trend Micro’s Zero Day Initiative and Google’s Threat Analysis Group Dmitrij Lenz and Vlad Stolyarov.

    Dustin Childs, ZDI’s Head of Threat Awareness, revealed that this vulnerability has been actively exploited in attacks to deploy malware on targeted Windows systems. The attackers were able to evade EDR/NDR detection and bypass the Mark of the Web (MotW) feature.

    “This vulnerability is related to CVE-2024-21412, which was discovered by ZDI threat researchers in the wild and first addressed in February,” explained Childs to BleepingComputer.

    “The first patch did not completely resolve the vulnerability. This update addresses the second part of the exploit chain. Microsoft did not indicate they were patching this vulnerability, so it was a (welcome) surprise when the patch went live.”

    The financially motivated Water Hydra hacking group, known for exploiting CVE-2024-29988, also used the previous vulnerability, CVE-2024-21412, as a zero-day on New Year’s Eve. The group targeted forex trading forums and stock trading Telegram channels in spearphishing attacks that deployed the DarkMe remote access trojan (RAT).

    CVE-2024-21412 was itself a bypass for another Defender SmartScreen vulnerability tracked as CVE-2023-36025, which was patched during the November 2023 Patch Tuesday and also exploited as a zero-day to drop Phemedrone malware.

    Today, Microsoft released security updates for 150 vulnerabilities as part of April 2024’s Patch Tuesday, including 67 remote code execution bugs.

    When contacted by BleepingComputer earlier today, a Microsoft spokesperson was unable to provide a statement at that time.

    Latest articles

    Related articles

    Leave a reply

    Please enter your comment!
    Please enter your name here