Threat Advisory for CVE-2024-21412

CVE-2024-21412 is about Internet Shortcut Files Security Feature Bypass Vulnerability (Microsoft Defender SmartScreen Vulnerability). The APT group Water Hydra (also known as DarkCasino) has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe malware [a remote access trojan (RAT)].

Attack methodology

The attack methodology used in the CVE-2024-21412 can be outlined as follows:

Interim guidance

DARC team recommends the following guidance / best practices:

• Security Awareness and Training
  • Don't open attachments or click on links in emails from unknown senders.
  • An attacker needs to trick you into opening a malicious file for the vulnerability to be exploited. This could involve phishing emails or other social engineering tactics. User training is required. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links.

• Proper Patch Management
  • CVE-2024-21412 can be patched by installing Microsoft’s February 2024 cumulative patch. Known as “Patch Tuesday”.

• Malware Detection Solutions
  • Anti malware solutions for known malwares, such as "VisualBasic remote access tool (RAT) called DarkMe"

• Web Security Best Practices
  
  • Restrict Web-Based Content: Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.

• Always check the full domain name of the official website including .com, .ru, .xyz, etc.
  • Monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites):
    
    • Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
    • Monitor network traffic for cloned sites as well as homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites).

• Software Configuration
  • Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and the integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.
  • Apply limitations to the ability for users to grant consent to unfamiliar or unverified third-party applications.

• Access Control
  • Implementing granular access controls (with microsegmentation tools) that only authorized users and applications have access to sensitive systems and data, reducing the attack surface available to potential intruders.
  • Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and the principle of least privilege.

DARC Managed Threat Hunting Queries

To detect the activities associated with the context of CVE-2024-21412, we can create several DQL queries targeting different aspects of the network and system security. Here are some DQL queries that align with the security measures mentioned:

• Unsigned DLL/Image loaded from suspicious locations:

stream=ep-image-load where NOT imageloaded like '%\\\\Program Files%' AND NOT signed='true' AND NOT imageloaded like '%\\\\Windows\\\\%' | duration 15m |  groupby user , system , imageloaded | limit 100

• Monitoring PowerShell script execution:

stream=win-audit where eid = 4104 | duration 1d |  limit 100

Monitor senders of quarantine emails flagged by your Email Service Provider (below is an example query for Trend Micro Email Security):

stream=email-gateway where sourcename='TRENDMICRO-EMAIL-SECURITY' AND action='EMAIL_QUARANTINED' and sender is not null |  duration 1d | groupby sender | limit 10

• Monitor for threats detected by DLP systems over time (below is an example query for Trend Micro Email Security)

stream=threat where sourcename='TRENDMICRO-EMAIL-SECURITY' AND action='THREAT_DETECTED' AND eventtype is not null | duration 1d |  groupby devsrcip, eventtype

• Monitor changes to Active Directory objects by local user accounts(excluding service and computer accounts) to identify credential misuse or privilege escalation:

stream=win-audit where (eid='5136' or eid='5137') and not user like '%$%' and not user like '%@%' | groupby user, objectclass | duration 7d | limit 10

• Detection of the DarkMe Loader DLL file execution via rundll32:

stream=ep-process where commandline like '%rundll32%' and commandline like '%undersets.dll%' and commandline like '%RunDllEntryPointW%' | select CommandLine, Image

These queries are only indicative in nature with an assumption that the HYPERCLOUD platform is configured to capture and log the relevant data that corresponds to the security measures mentioned. Adjustments may be needed based on the actual data fields and log formats used in the organization's HYPERCLOUD deployment.

Conclusion

Water Hydra uses social engineering to lure victims into selecting malicious links that eventually lead to the exploitation of CVE-2024-21412, allowing the attackers to compromise their victim’s host system and deploy malicious payloads. Water Hydra has been known to be financially motivated, but other threat actors with different motivations can also exploit the vulnerability for their own purposes, such as cyberespionage or sabotage.

References:

1. CVE - CVE-2024-21412 (mitre.org)
2. SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes | Trend Micro (IN)
3. CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day | Trend Micro (IN)
4. CVE-2024-21412 - Security Update Guide - Microsoft - Internet Shortcut Files Security Feature Bypass Vulnerability
5. How to remove DarkMe Malware
6. APT Exploits Microsoft Zero-Day in Malware Attacks - Malware News - Malware Analysis, News and Indicators
7. DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability (thehackernews.com)
8. CVE-2024-21412 Vulnerability Reported in Defender SmartScreen • TrueFort
9. IOC_CVE-2024-21412