Pierluigi Paganini April 11, 2024

Microsoft addressed two zero-day vulnerabilities (CVE-2024-29988 and CVE-2024-26234) actively exploited by threat actors to deliver malware

Microsoft addressed two zero-day vulnerabilities, tracked as CVE-2024-29988 and CVE-2024-26234, that threat actors are exploiting to deliver malware.

Microsoft Patches Tuesday security updates for April 2024 addressed 147 vulnerabilities in multiple products. This is the highest number of fixed issues from Microsoft this year and the largest since at least 2017. The issues impact Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot. According to ZDI, three of these vulnerabilities were reported through their ZDI program.

Below are the descriptions of the two flaws:

CVE-2024-29988 – SmartScreen Prompt Security Feature Bypass Vulnerability. An attacker can exploit this security feature bypass vulnerability by tricking a user into launching malicious files using a launcher application that requests that no UI be shown. An attacker could send the targeted user a specially crafted file designed to trigger the remote code execution issue. The flaw is actively exploited in the wild but Microsoft did not confirm it in the advisory.

“This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited. I would treat this as in the wild until Microsoft clarifies.” reported ZDI.

CVE-2024-26234 – Proxy Driver Spoofing Vulnerability – The flaw reported by Sophos ties a malicious driver signed with a valid Microsoft Hardware Publisher Certificate. The driver was used in attacks in the wild to deploy a backdoor. In December 2023, Sophos X-Ops received a report of a false positive detection on an executable that was signed using a valid Microsoft Hardware Publisher Certificate. However, the researchers noticed that the version info for the supposedly clean file looked a little suspicious. Attackers were attempting to personate the legitimate company Thales Group.

“However, after digging into both our internal data and reports on VirusTotal, we discovered that the file was previously bundled with a setup file for a product named LaiXi Android Screen Mirroring, “a marketing software…[that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting.”” reported Sophos. “It’s worth noting that while we can’t prove the legitimacy of the LaiXi software – the GitHub repository has no code as of this writing, but contains a link to what we assume is the developer’s website – we are confident that the file we investigated is a malicious backdoor.”

There’s no evidence indicating intentional inclusion of the malicious file by LaiXi developers or involvement of a threat actor in a supply chain attack during the application’s compilation/building process.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)