{"id":55321,"date":"2024-02-13T00:00:00","date_gmt":"2024-02-13T00:00:00","guid":{"rendered":"urn:uuid:781e7aaa-e00a-588e-419d-7b395f09256f"},"modified":"2024-02-13T00:00:00","modified_gmt":"2024-02-13T00:00:00","slug":"cve-2024-21412-water-hydra-targets-traders-with-microsoft-defender-smartscreen-zero-day","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cve-2024-21412-water-hydra-targets-traders-with-microsoft-defender-smartscreen-zero-day\/","title":{"rendered":"CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Once the malware registers its victim, it then initiates a listener for incoming TCP connections, waiting to receive commands from the attacker. Once a command is received, the malware parses and executes it on the infected system. The malware supports a wide range of functionalities. The supported commands would allow malware to Enumerate directory content (STRFLS<\/i>, STRFL2<\/i>), execute shell commands (SHLEXE<\/i>), create and delete directories, retrieve system drive information (300100<\/i>), and generate a ZIP file from given path (ZIPALO<\/i>), among others.<\/p>\n

Zero-day attacks represent a significant security risk to organizations, as these attacks exploit vulnerabilities that are unknown to software vendors and have no corresponding security patches. APT groups such as Water Hydra possess the technical knowledge and tools to discover and exploit zero-day vulnerabilities in advanced campaigns, deploying highly destructive malware such as DarkMe.<\/p>\n

In a previous campaign, Water Hydra exploited CVE-2023-38831 months before organizations could defend themselves. After disclosure, CVE-2023-38831 was subsequently deployed in other campaigns by other APT groups. ZDI has noticed several alarming trends in zero-day abuse. First, there exists a trend where zero-days found by cybercrime groups make their way into attack chains deployed by nation-state APT groups such as APT28 (FROZENLAKE), APT29 (Cozy Bear), APT40, Dark Pink, Ghostwriter, Konni, Sandworm and more. These groups employ these exploits to launch sophisticated attacks, thereby exacerbating risks to organizations. Second, the simple bypass of CVE-2023-36025 by CVE-2024-21412 highlights a broader industry trend when it comes to security patches that show how APT threat actors can easily circumvent narrow patches by identifying new vectors of attack around a patched software component.<\/p>\n

To make software more secure and protect customers from zero-day attacks, the Trend Zero Day Initiative<\/a> works with security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT groups can deploy them in attacks. The ZDI Threat Hunting team also proactively hunts for zero-day attacks in the wild to safeguard the industry.<\/p>\n

Organizations can protect themselves from these kinds of attacks with Trend Vision One\u2122\ufe0f<\/a>, which enables security teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range of prevention, detection, and response capabilities. This is all backed by advanced threat research, intelligence, and AI, which helps reduce the time taken to detect, respond, and remediate issues. Ultimately, Vision One can help improve the overall security posture and effectiveness of an organization, including against zero-day attacks.<\/p>\n

When faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is already compromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid response, organizations can address breaches and protect its remaining systems, especially with technologies such as  Trend Micro Endpoint Security<\/a> and Trend Micro Network Security<\/a>, as well as comprehensive security solutions such as Trend Micro\u2122 XDR<\/a>, which can detect, scan, and block malicious content across the modern threat landscape.<\/p>\n

During our investigation into CVE-2024-21412 and Water Hydra we began tracking additional threat actor activity around this zero-day. In particular, the DarkGate malware operators began incorporating this exploit into their infection chains. We will be providing additional information and analysis on threat actors that have exploited CVE-2024-21412 in a future blog entry. Trend Micro customers are protected from these additional campaigns via virtual patches for ZDI-CAN-23100.<\/p>\n

The following protections exist to detect and protect Trend customers against the zero-day CVE-2024-21412 (ZDI-CAN-23100) and the DarkMe Malware Payload.<\/p>\n