Source: dennizn via Alamy Stock Photo

A Microsoft Defender SmartScreen vulnerability that was patched in February is still being used in infostealing attacks across the globe.

CVE-2024-21412 — a "high" severity, 8.1 CVSS-scored security bypass bug in SmartScreen — was first disclosed and fixed on Feb. 13. Since then, it has been used in campaigns involving well-known infostealers like Lumma Stealer, Water Hydra, and DarkGate.

Now, five months later, Fortinet has flagged yet another campaign involving two more stealers: Meduza and ACR. Attacks thus far have reached the US, Spain, and Thailand.

Sometimes, organizations take their time updating third-party software. By contrast, "The attackers in this case are taking advantage of software that's native on Microsoft Windows, which would be updated in normal Microsoft patch cycles," notes Aamir Lakhani, global security strategist and researcher at Fortinet. "It's a little unclear and concerning when these vulnerabilities are not patched, because it could indicate there are other Microsoft vulnerabilities that are not being patched as well."

A CVE-2024-21412 Attack Chain

If you visit a website, or download a file or program that's known to be unsafe — or is suspicious for any number of other reasons — SmartScreen will step in and present you with that famous blue screen message: "Windows protected your PC." It's a simple, effective way to alert users to potentially dangerous cyber threats.

So consider how useful it would be to an attacker if they could simply disable that notification. This is what CVE-2024-21412 allows them to do.

In the latest campaign identified by Fortinet, the attackers are beating SmartScreen "through the combination of PowerShell trickery and hiding attacks in images and taking advantage of how those images are processed," Lakhani explains.

First, they lure victims with a URL that triggers the download of a shortcut (LNK) file. The LNK downloads an executable with an HTML Application (HTA) script with PowerShell code for retrieving decoy PDF files and malicious code injectors.

One of the injectors is more interesting than the other. After running anti-debugging checks, it downloads a JPG image file, then uses a Windows API to access its pixels and decode its bytes, wherein lies malicious code.

"These types of image-based attacks have been around a long time and, while they aren't as common as other types of attacks we typically observe, we still see them pop up over time because they are quite effective," Lakhani notes. "It's not surprising to see this attack, especially because [steganography] detection is often overlooked compared to other attack scenarios."

Consequences to the Unpatched

The stealers smuggled in through image files in this case get planted inside of legitimate Windows processes, at which point the gathering and exfiltration of data begins.

The kinds of information they aim for are broad. ACR, for example, steals from dozens of browsers (Google Chrome, Firefox), dozens of crypto wallets (Binance, Ledger Live), messenger apps (Telegram, WhatsApp), password managers (Bitwarden, 1Password), virtual private network (VPN) apps, email clients, file transfer protocol (FTP) clients, and more. 

Only organizations far behind on standard Windows patching have anything to worry about. Clearly, though, those organizations are out there.

"I would understand how individual software updates from smaller companies may be missed, but most organizations have regular Microsoft software patch updates, and this particular vulnerability remains open to attack," Lakhani says. To encourage better patching practices, he adds, "I think in all cases, software vendors need to give users alerts and notifications that critical security patches exist and should be installed when the software is launched or used."