Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Windows Zero-Day Exploited in Attacks on Financial Market Traders

CVE-2024-21412, one of the security bypass zero-days fixed by Microsoft with Patch Tuesday updates, exploited by Water Hydra (DarkCasino).

One of the zero-day vulnerabilities patched by Microsoft with its latest Patch Tuesday updates has been exploited in attacks aimed at financial market traders by a threat group tracked as Water Hydra and DarkCasino, according to Trend Micro.

Microsoft on Tuesday announced patches for more than 70 vulnerabilities, including two flaws that have been exploited in attacks as zero-days. Two of the zero-days, CVE-2024-21412 and CVE-2024-21351, have been described as security feature bypasses.

Trend Micro has published a blog post describing attacks exploiting CVE-2024-21412. It’s worth noting that, in addition to Trend Micro’s Zero Day Initiative, Microsoft credited Aura Information Security and Google’s Threat Analysis Group for reporting this vulnerability. 

Trend Micro said it discovered CVE-2024-21412 during an analysis into a Water Hydra campaign it started tracking in late December 2023. The attacks involved the abuse of internet shortcuts (.url) and Web-based Distributed Authoring and Versioning (WebDAV) components. 

The attackers had exploited CVE-2024-21412 to bypass Microsoft Defender SmartScreen and deliver a piece of malware named DarkMe to financial market traders.

According to Microsoft, this vulnerability impacts Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11. It can be exploited by getting the targeted user to open a specially crafted file designed to bypass displayed security checks. 

Trend Micro said Water Hydra has been around since at least 2021, mainly targeting the financial industry, including gambling websites, casinos, forex and stock trading platforms, banks, and cryptocurrency services.

Water Hydra was initially linked to a Russian-speaking financially motivated hack-for-hire group named EvilNum, but it’s now believed to be a separate cybercrime group. The threat actor was previously observed exploiting a WinRAR zero-day

Advertisement. Scroll to continue reading.

Trend Micro’s blog post contains detailed information on how the attackers tricked users into clicking on a malicious internet shortcut file disguised as a harmless image file.

“We concluded that calling a shortcut within another shortcut was sufficient to evade SmartScreen, which failed to properly apply Mark-of-the-Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source,” Trend Micro explained. 

The DarkMe malware delivered in this campaign enables the attackers to enumerate folder content, create and delete folders, execute shell commands, obtain system information, and generate a ZIP file from a given path. 

Related: Critical Apache ActiveMQ Vulnerability Exploited to Deliver Ransomware

Related: Turkish Hackers Target Microsoft SQL Servers in Americas, Europe

Related: SysAid Zero-Day Vulnerability Exploited by Ransomware Group

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.