Microsoft’s April 2024 security updates fixed 149 vulnerabilities, two of which are being actively exploited in the wild.
Out of the 149 defects, one is classified as low severity, three are critical, 142 are important, and three are moderate. The update also addresses 21 vulnerabilities that the company fixed in its Edge browser, which runs on Chromium, after the March 2024 Patch Tuesday updates were made available.
The following are the two flaws that are being actively exploited:
- CVE-2024-26234 with a CVSS of 6.7 – Flaw in Proxy Driver Spoofing
- CVE-2024-29988 (with an 8.8 CVSS score) – Bypass Vulnerability with SmartScreen Prompt Security Feature
The cybersecurity company Sophos reported that in December 2023, it found a malicious executable (“Catalog.exe” or “Catalog Authentication Client Service”) that was signed by a legitimate Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate. This is despite the fact that Microsoft’s own advisory contains no information regarding CVE-2024-26234.
Through an Authenticode analysis of the binary, the original requested publisher was identified as Hainan YouHu Technology Co. Ltd. This company also publishes another utility known as LaiXi Android Screen Mirroring.
The latter is referred to as “a marketing software … [that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting.”
A part of the alleged authentication service known as 3proxy is included; it serves as a backdoor by monitoring and intercepting network traffic on compromised systems.
“We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application,” Andreas Klopsch, a researcher at Sophos, said
The cybersecurity firm added that it had found numerous other backdoor variations in the wild that date back to January 5, 2023, suggesting that the campaign has been active at least since then. Since then, Microsoft has updated its list of files that are revoked.
Similar to CVE-2024-21412 and CVE-2023-36025, CVE-2024-29988 is a security hole that lets attackers bypass Microsoft Defender SmartScreen defences when they open a specially created file. It has also apparently been the target of an active assault.
“To exploit this security feature bypass vulnerability, an attacker would need to convince a user to launch malicious files using a launcher application that requests that no UI be shown,” Microsoft stated.
“In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the remote code execution vulnerability.”
There were vulnerabilities being constantly exploited.
The Zero Day Initiative has discovered evidence of the vulnerability being used in the wild, despite Microsoft’s assessment classifying it as “Exploitation More Likely.”
CVE-2024-29990 (CVSS score: 9.0) is another critical vulnerability that affects Microsoft Azure Kubernetes Service Confidential Container. It is an elevation of privilege bug that might be used by unauthorized attackers to obtain credentials.
“An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to,” Redmond stated.
This release addresses 68 remote code executions, 31 privilege escalation, 26 security feature bypasses, and six denial-of-service (DoS) issues, making it noteworthy overall. Remarkably, Secure Boot is involved in 24 out of the 26 security bypass vulnerabilities.
Satnam Narang, senior staff research engineer at Tenable, stated in a statement that “even though none of the Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.”
The revelation coincides with Microsoft’s recent report from the U.S. Cyber Safety Review Board (CSRB) criticizing the company’s security procedures and failing to stop a cyber espionage effort led by a Chinese threat actor identified as Storm-0558 last year.
It also adheres to the business’s choice to provide security vulnerability root cause information by utilizing the Common Weakness Enumeration (CWE) industry standard. It’s important to keep in mind, though, that the modifications only apply to advisories issued after March 2024.
Lead software engineer at Rapid7, Adam Barnett, stated in a statement shared with The Hacker News that “the addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability.”
The CWE program has made updates to its instructions for linking CVEs to CWE Root Causes. CWE trend analysis can assist defenders in determining where to focus deployment-hardening and defence-in-depth efforts for maximum return on investment, as well as developers in reducing future occurrences through enhanced Software Development Life Cycle (SDLC) processes and testing.”
Cybersecurity company Varonis revealed two strategies in a similar development that attackers may use to get around audit logs and prevent download events from happening while stealing files from SharePoint.
While the second method leverages the User-Agent for Microsoft SkyDriveSync to download files, or even entire sites, while misclassifying such occurrences as file syncs instead of downloads, the first method makes use of SharePoint’s “Open in App” capability to access and download files.
Although Microsoft has added the problems to its patch backlog program, it has not yet released a cure after being made aware of them in November 2023. Organizations are advised to keep a tight eye on their audit logs in the interim for any suspect access events, particularly those involving a large number of files being downloaded quickly.
“These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events,” explained Eric Saraga.
Software Patches from Other suppliers
Over the past few weeks, security patches have been made available by other suppliers in addition to Microsoft in order to address a number of vulnerabilities, including β
- AMD Adobe
- C++ Android Apache XML Security
- Aruba Networks
- Atos Bosch
- Cisco
- D-Link
- Dell
- Drupal F5
- GitLab Fortinet Fortra
- Chrome by Google
- Google Cloud
- Google Pixel
- HK Vision
- HITACHI Energy
- HP
- IBM HP Enterprise HTTP/2
- Jenkins Ivanti Lenovo
- Linux distributions for LG webOS Oracle and Debian Ubuntu, SUSE, Red Hat, and Linux
- MediaTek
- Thunderbird, Mozilla Firefox, and Firefox ESR
- NETGEAR
- NVIDIA
- Qualcomm
- Automation Rockwell
- rust
- Samsung
- SAP
- Schneider Electric
- Siemens
- Synology Splunk
- VMware
- Zoom and WordPress
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.