Windows MSHTML Platform Zero Day Vulnerability Actively Exploited by APT Group

By Daniel Lopez

Microsoft patched a vulnerability on September Patch Tuesday yet attackers are still exploiting the vulnerability to install data-stealing malware. Vulnerability CVE-2024-43461 is identified as a Microsoft Windows MSHTML Platform spoofing vulnerability that has an assigned high-severity CVSS base score of 8.8. The vulnerability is labeled as “important” by Microsoft, which reported that the vulnerability is not yet exploited in cyberattacks. Recent updates confirm that the vulnerability had been used in attacks prior to July 2024.

Microsoft has since revised its advisory, revealing that the CVE-2024-43461 vulnerability was part of an exploit chain that included vulnerability CVE-2024-38112, a second MSTML spoofing. A patch for the latter vulnerability was issued in July 2024 as part of the security updates of Microsoft designed to break this attack chain. Peter Girnus from Trend Micro’s Zero Day Initiative knew that this vulnerability was exploited but thought that the CVE-2024-38112 patch had successfully neutralized the attack vector. However, upon further investigation, Girnus found that reversing the patch did not entirely resolve the problem, and so he sent an alert to Microsoft.

The vulnerability enables attackers to manipulate the browser into showing false information, eventually leading to remote code execution on unpatched Windows systems. To take advantage of this vulnerability, an attacker needs to persuade a user to open a malicious file or go to a web page. As per Girnus, the vulnerability arises from how Internet Explorer handles files after they are downloaded. He explained, “A crafted file name can hide the actual file extension, deceiving the user into thinking the file type is safe. This vulnerability can be leveraged by attackers to execute code in the setting of the present user.

According to report, the Void Banshee Advanced Persistent Threat (APT) group has exploited this vulnerability to deliver malicious HTA (HTML Application) files, masked as PDF documents. Once executed, these files deliver malware designed to steal sensitive data, including authentication cookies, passwords, and cryptocurrency wallets. Since the vulnerability is actively exploitated, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2024-43461 to its Known Exploited Vulnerability (KEV) Catalog. CISA has also required that federal agencies patch this vulnerability within three weeks to mitigate the risk.

Aside from HIPAA compliance, to safeguard systems from exploitation, Microsoft advises that both the July 2024 and September 2024 security updates be applied. By doing so, users can ensure that the vulnerabilities within the attack chain are adequately addressed, preventing malicious actors from exploiting the vulnerability to breach sensitive data.

Photo credits: Angelov, AdobeStock

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA