Fraud Management & Cybercrime , Governance & Risk Management , Patch Management
Microsoft Patches Another SmartScreen Signature-Based Vulnerability Akshaya Asokan (asokan_akshaya) • March 16, 2023
A financial motivated hacking group has been exploiting a now-patched zero-day vulnerability in the Windows operating system to deliver ransomware.
See Also: State of Brand Protection Report
Google Threat Analysis Group attributed the campaign to Magniber ransomware group, which it says began exploiting the zero day prior to Microsoft releasing the patch for the vulnerability as part of its latest monthly dump of fixes.
The vulnerability, tracked CVE-2023-24880, is a moderately severe flaw impacting Microsoft’s anti-phishing and anti-malware component SmartScreen Security embedded by the company as an endpoint protection service in products including Windows and Microsoft Edge.
Magniber delivers Microsoft Software Installer files, signing it with malformed signature. The file triggers an error in the application upon its execution, causing an error that bypasses Microsoft’s warning against executing untrusted files downloaded from the internet.
Google TAG observed more than 100,000 downloads of malicious MSI files since the beginning of this year, majority of which were downloaded by devices in Europe. This is a change in targets for Magniber, which previously focused on victims in South Korea and Taiwan, TAG says.
Prior to its latest campaign, the same threat group exploited another SmartScreen bypass vulnerability tracked as CVE-2022-44698. At the time the hackers used Javascript files instead of MSI, HP threat researchers who spotted the campaign wrote.
Malformed Windows signatures used by the operators behind November 2022 Qakbot campaigns were similar to Magniber’s earlier campaign, “suggesting the two operators either purchased the bypasses from the same provider, or copied each others’ technique,” Google says.
The fact that Microsoft has had to issue multiple fixes for signature-based SmartScreen bypass highlights a dilemma of patches, Google notes. Should software developers like Microsoft issue a targeted, reliable fix that patches the immediate problem? But unless the root cause is also fixed, hackers can iterate their techniques to discover new attacks.
