Windows MSHTML Zero-Day Vulnerability Exploited In The Wild
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
The Windows MSHTML platform spoofing vulnerability, CVE-2024-43461, which affects all supported Windows versions, has been exploited in the wild.
CVE-2024-43461 was used in attacks by the Void Banshee APT hacking group. Research from Trend Micro claims that Void Banshee lures people by disseminating harmful files disguised as book PDFs through zip archives.
These files may be found on cloud-sharing websites, Discord servers, and online libraries, among other places. Southeast Asia, Europe, and North America are the main regions targeted by Void Banshee’s attacks.
Microsoft mentioned CVE-2024-43461 on Friday as part of the September 2024 Patch Tuesday, indicating that it had been used in attacks.
Overview Of The Zero-Day Vulnerability Exploited In The Wild
The attack campaign of the Void Banshee group made use of both CVE-2024-43461 and the July-resolved vulnerability CVE-2024-38112.
Initially, Windows Internet Shortcut (.url) files were used in the attacks. Clicking on these files forced the device to launch a malicious website run by the attackers, using the now-deprecated Internet Explorer in place of Microsoft Edge.
An HTML Application (HTA) file was requested to be downloaded as soon as the malicious page was accessed.
The HTA file included a script to install the malware known as Atlantida info-stealer, which collects confidential data.
The attackers spoof the HTA file extension by taking advantage of a vulnerability in Windows MSHTML.
The method uses braille whitespace characters (%E2%A0%80) to hide “.hta” extension from user view.
Braille whitespace characters used to hide .hta extension (Source: Trend Micro)
Hence, when the user accessed the spoofed file, the HTA file was executed, which initiated the script that deployed the Atlantida info-stealer.
Windows now shows the actual .hta extension (Source: Peter Girnus)
We advise concerned Windows users to exercise extra caution when opening.url files from unknown sources because this kind of attack depends on user involvement to be successful.
#Cyber_Security #Cyber_Security_News #Vulnerability #Zero-Day #cyber_security_news #MSHTML_Vulnerability #Void_Banshee_APT #Zero-Day_Exploit
Оригинальная версия на сайте:
Windows MSHTML Zero-Day Vulnerability Exploited In The Wild
Author: Varshini SenapathiThe Windows MSHTML platform spoofing vulnerability, CVE-2024-43461, which affects all supported Windows versions, has been exploited in the wild.
CVE-2024-43461 was used in attacks by the Void Banshee APT hacking group. Research from Trend Micro claims that Void Banshee lures people by disseminating harmful files disguised as book PDFs through zip archives.
These files may be found on cloud-sharing websites, Discord servers, and online libraries, among other places. Southeast Asia, Europe, and North America are the main regions targeted by Void Banshee’s attacks.
Microsoft mentioned CVE-2024-43461 on Friday as part of the September 2024 Patch Tuesday, indicating that it had been used in attacks.
Overview Of The Zero-Day Vulnerability Exploited In The Wild
The attack campaign of the Void Banshee group made use of both CVE-2024-43461 and the July-resolved vulnerability CVE-2024-38112.
Initially, Windows Internet Shortcut (.url) files were used in the attacks. Clicking on these files forced the device to launch a malicious website run by the attackers, using the now-deprecated Internet Explorer in place of Microsoft Edge.
An HTML Application (HTA) file was requested to be downloaded as soon as the malicious page was accessed.
The HTA file included a script to install the malware known as Atlantida info-stealer, which collects confidential data.
The attackers spoof the HTA file extension by taking advantage of a vulnerability in Windows MSHTML.
The method uses braille whitespace characters (%E2%A0%80) to hide “.hta” extension from user view.
Braille whitespace characters used to hide .hta extension (Source: Trend Micro)Hence, when the user accessed the spoofed file, the HTA file was executed, which initiated the script that deployed the Atlantida info-stealer.
Windows now shows the actual .hta extension (Source: Peter Girnus)We advise concerned Windows users to exercise extra caution when opening.url files from unknown sources because this kind of attack depends on user involvement to be successful.
#Cyber_Security #Cyber_Security_News #Vulnerability #Zero-Day #cyber_security_news #MSHTML_Vulnerability #Void_Banshee_APT #Zero-Day_Exploit
Оригинальная версия на сайте:
