Federal Agencies Urged to Act Swiftly on MSHTML Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive to U.S. federal agencies, urging them to fortify their systems against a recently patched Windows MSHTML spoofing zero-day vulnerability. This flaw, identified as CVE-2024-43461, was brought to light during this month’s Patch Tuesday, initially leading Microsoft to classify it as non-exploited. However, a subsequent update revealed that the vulnerability had indeed been exploited prior to its resolution.
Microsoft disclosed that attackers had leveraged CVE-2024-43461 before July 2024, utilizing it as part of an exploit chain alongside another MSHTML spoofing bug, CVE-2024-38112. The company noted, “We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain. Customers should apply both the July 2024 and September 2024 security updates to fully protect themselves.”
Peter Girnus, a threat researcher from the Trend Micro Zero Day Initiative (ZDI), reported that the Void Banshee hacking group exploited this vulnerability in zero-day attacks aimed at installing information-stealing malware. This particular vulnerability allows remote attackers to execute arbitrary code on unpatched Windows systems by deceiving users into visiting maliciously crafted webpages or opening harmful files.
The ZDI advisory elaborates on the flaw, stating, “The specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user.” In these attacks, the hackers utilized CVE-2024-43461 to deliver malicious HTA files disguised as PDF documents, cleverly concealing the .hta extension with 26 encoded braille whitespace characters (%E2%A0%80).
HTA file camouflaged as PDF document (Trend Micro)
Research conducted by Check Point and Trend Micro in July revealed that the Atlantida information-stealing malware deployed in these attacks is capable of pilfering passwords, authentication cookies, and cryptocurrency wallets from compromised devices. The Void Banshee group, first identified by Trend Micro, has gained notoriety for targeting organizations across North America, Europe, and Southeast Asia, primarily for financial gain and data theft.
Federal Agencies Given Three Weeks to Patch
In a proactive measure, CISA has included the MSHTML spoofing vulnerability in its Known Exploited Vulnerabilities catalog, designating it as actively exploited. Federal agencies are mandated to secure vulnerable systems within three weeks, with a deadline set for October 7, in accordance with Binding Operational Directive (BOD) 22-01. CISA emphasized, “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
While CISA’s KEV catalog primarily serves to alert federal agencies about critical security flaws requiring immediate attention, private organizations globally are also encouraged to prioritize mitigation efforts for this vulnerability to thwart ongoing attacks. In addition to CVE-2024-43461, Microsoft has addressed three other actively exploited zero-days in the September 2024 Patch Tuesday, including CVE-2024-38217, which has been exploited in LNK stomping attacks since at least 2018 to bypass the Smart App Control and the Mark of the Web (MotW) security feature.