The Development Micro Zero Day Initiative (ZDI) has lately unearthed a essential vulnerability, recognized as CVE-2024-21412, which they’ve dubbed ZDI-CAN-23100.
The flaw was reported to Microsoft as a part of a Microsoft Defender SmartScreen bypass utilized in a fancy zero-day assault chain orchestrated by the APT group generally known as Water Hydra (AKA DarkCasino). Their targets had been monetary market merchants.
Starting in late December 2023, Development Micro noticed a marketing campaign by Water Hydra using comparable instruments, ways and procedures (TTPs) that concerned exploiting web shortcuts (.URL) and Internet-based Distributed Authoring and Versioning (WebDAV) elements.
On this assault, CVE-2024-21412 was used to evade Microsoft Defender SmartScreen and implant victims with the DarkMe malware. By way of collaboration with Microsoft, the ZDI bug bounty program ensured swift disclosure and patching of this vulnerability.
Learn extra about this patch: Microsoft Fixes Two Zero-Days in February Patch Tuesday
The Water Hydra group, initially mistaken for the Evilnum APT group because of similarities in phishing methods, has been lively since 2021, primarily concentrating on the monetary business. Notably, they’ve exploited vulnerabilities comparable to CVE-2023-38831 and have showcased a excessive degree of technical sophistication.
The Water Hydra assault chain, unveiled by Development Micro in an advisory revealed on Tuesday, includes intricate strategies to lure victims, together with spear-phishing campaigns on foreign exchange and inventory buying and selling boards. They exploit the “search: protocol” to control Home windows Explorer views and deceive customers into clicking malicious web shortcut recordsdata.
Additional evaluation revealed that Water Hydra leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen. By using a cascade of web shortcuts, they evaded safety measures and executed malicious payloads, such because the DarkMe malware, with out customers’ information.
In response to Development Micro, Water Hydra’s modus operandi underscores the severity of zero-day threats in cybersecurity.
“When confronted with unsure intrusions, behaviors and routines, organizations ought to assume that their system is already compromised or breached and work to right away isolate affected knowledge or toolchains,” reads the advisory.
“With a broader perspective and speedy response, organizations can deal with breaches and defend their remaining techniques.”