Microsoft’s April 2024 security updates fixed 149 vulnerabilities, two of which are being actively exploited in the wild.
Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity. The update also addresses 21 vulnerabilities that the company fixed in its Edge browser, which runs on Chromium, after the March 2024 Patch Tuesday updates were made available.
The following are the two flaws that are being actively exploited:
- CVE-2024-26234 with a CVSS of 6.7 – Flaw in Proxy Driver Spoofing
- CVE-2024-29988 (with an 8.8 CVSS score) – Bypass Vulnerability with SmartScreen Prompt Security Feature
While Microsoft’s own advisory provides no information about CVE-2024-26234, the cybersecurity company Sophos reported that in December 2023, it found a malicious executable (“Catalog.exe” or “Catalog Authentication Client Service”) that was signed by a legitimate Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate.
Through an Authenticode analysis of the binary, the original requested publisher was identified as Hainan YouHu Technology Co. Ltd. This company also publishes another utility known as LaiXi Android Screen Mirroring.
The latter is referred to as “a marketing software … [that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting.”
A part of the alleged authentication service known as 3proxy is included; it serves as a backdoor by monitoring and intercepting network traffic on compromised systems.
“We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application,” Andreas Klopsch, a researcher at Sophos, said.
The cybersecurity firm added that it had found numerous other backdoor variations in the wild that date back to January 5, 2023, suggesting that the campaign has been active at least since then. Since then, Microsoft has updated its list of files that are revoked.
Similar to CVE-2024-21412 and CVE-2023-36025, CVE-2024-29988 is a security hole that lets attackers bypass Microsoft Defender SmartScreen protections when they open a specially created file. It has also apparently been the target of an active assault.
“To exploit this security feature bypass vulnerability, an attacker would need to convince a user to launch malicious files using a launcher application that requests that no UI be shown,” Microsoft stated.
“In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the remote code execution vulnerability.”
There were vulnerabilities being constantly exploited.
The Zero Day Initiative has discovered evidence of the vulnerability being used in the wild, despite Microsoft’s assessment classifying it as “Exploitation More Likely.”
CVE-2024-29990 (CVSS score: 9.0) is another critical vulnerability that affects Microsoft Azure Kubernetes Service Confidential Container. It is an elevation of privilege bug that might be used by unauthorized attackers to obtain credentials.
“An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to,” Redmond stated.
This release addresses 68 remote code executions, 31 privilege escalation, 26 security feature bypasses, and six denial-of-service (DoS) issues, making it noteworthy overall. Remarkably, Secure Boot is involved in 24 out of the 26 security bypass vulnerabilities.
Satnam Narang, senior staff research engineer at Tenable, stated in a statement that “even though none of the Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.”
The revelation coincides with Microsoft’s recent report from the U.S. Cyber Safety Review Board (CSRB) criticizing the company’s security procedures and failing to stop a cyber espionage effort led by a Chinese threat actor identified as Storm-0558 last year.
It also adheres to the business’s choice to provide security vulnerability root cause information by utilizing the Common Weakness Enumeration (CWE) industry standard. It’s important to keep in mind, though, that the modifications only apply to advisories issued after March 2024.
The CWE program has made updates to its instructions for linking CVEs to CWE Root Causes. CWE trend analysis can assist defenders in determining where to focus deployment-hardening and defense-in-depth efforts for maximum return on investment, as well as developers in reducing future occurrences through enhanced Software Development Life Cycle (SDLC) processes and testing.
Cybersecurity company Varonis revealed two strategies in a similar development that attackers may use to get around audit logs and prevent download events from happening while stealing files from SharePoint.
While the second method leverages the User-Agent for Microsoft SkyDriveSync to download files, or even entire sites, while misclassifying such occurrences as file syncs instead of downloads, the first method makes use of SharePoint’s “Open in App” capability to access and download files.
Although Microsoft has added the problems to its patch backlog program, it has not yet released a cure after being made aware of them in November 2023. Organizations are advised to keep a tight eye on their audit logs in the interim for any suspect access events, particularly those involving a large number of files being downloaded quickly.
Contact us if you have any questions or concerns.