Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Copy2Pwn Zero-Day Exploited to Bypass Windows Protections

ZDI details a zero-day named Copy2Pwn and tracked as CVE-2024-38213, which cybercriminals exploited to bypass MotW protections in Windows.

Trend Micro’s Zero Day Initiative (ZDI) has detailed a recently patched zero-day vulnerability that cybercriminals have exploited to bypass Windows protections. 

The flaw, tracked as CVE-2024-38213 and named Copy2Pwn by ZDI, was fixed by Microsoft in June 2024, but it was only disclosed when the tech giant released the August 2024 Patch Tuesday updates. It was one of the six zero-days disclosed with this round of updates. 

ZDI’s threat hunting team discovered CVE-2024-38213 during its analysis into attacks conducted as part of a campaign named DarkGate by a threat group tracked as Water Hydra and DarkCasino. 

This threat actor had previously exploited a zero-day tracked as CVE-2024-21412 to bypass Windows protections in attacks aimed at financial market traders. 

According to Microsoft, the newly patched vulnerability, CVE-2024-38213, can be exploited to bypass Defender SmartScreen, which protects Windows users against phishing, malware and other potentially malicious files downloaded from the internet. 

The Copy2Pwn flaw is related to how files coming from WebDAV shares are handled during copy/paste operations. 

WebDAV, which stands for Web-based Distributed Authoring and Versioning, extends HTTP functionality, including with authoring, sharing and versioning. Users can host files on WebDAV shares that are accessible through a web browser or through Windows Explorer.

When a Windows user downloads a file from the web, that file gets assigned the Mark-of-the-Web (MotW), which triggers additional security checks before the file is opened, including Defender SmartScreen and Office Protected View. 

Advertisement. Scroll to continue reading.

Cybercriminals noticed that files copied and pasted from WebDAV shares did not get the MotW. 

“This meant that users might copy and paste files from a WebDAV share to their desktop, and those files could subsequently be opened without the protections of Windows Defender SmartScreen or Microsoft Office Protected View. In particular, this means that there would be no reputation or signature checks on executables,” ZDI explained.

Related: Zero-Click Exploit Concerns Drive Urgent Patching of Windows TCP/IP Flaw

Related: Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks

Related: APT Exploits Windows Zero-Day to Execute Code via Disabled Internet Explorer

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights