Windows 0-day (CVE-2023-24880) was exploited in ransomware attacks

CVE-2023-24880

Microsoft’s latest round of security updates addressed 74 new patches across various products, including Windows, Office, Edge, Dynamics, Visual Studio, and Azure. Among these patches, six are rated Critical, 67 are rated Important, and one is rated Moderate in severity. Two of these CVEs, including CVE-2023-23397 and CVE-2023-24880, are listed as under active attack.

CVE-2023-24880

CVE-2023-24880: Bypassing Windows SmartScreen Security

The vulnerability, tracked as CVE-2023-24880 (CVSS3 score of 5.4), allows attackers to create files that can bypass Mark of the Web (MOTW) defenses. Protective measures such as SmartScreen and Protected View in Microsoft Office depend on MOTW. Therefore, bypassing these security features makes it easier for threat actors to spread malware through crafted documents and other infected files that would typically be stopped by SmartScreen.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft wrote in a security advisory published today.

Exploitation by Magniber Ransomware

Google’s Threat Analysis Group (TAG) discovered that the vulnerability has been exploited since at least January. The researchers reported their findings to Microsoft on February 15, and a fix has been released as part of Microsoft’s latest Patch Tuesday updates. The financially motivated threat actor behind the Magniber ransomware exploited CVE-2023-24880 to deliver specially crafted MSI files. These files are signed with an Authenticode signature, which is invalid but crafted in a way that causes SmartScreen to return an error.

TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe – a notable divergence from Magniber’s typical targeting, which usually focuses on South Korea and Taiwan,” Google TAG wrote.

A New Variant of CVE-2022-44698

CVE-2023-24880 is a new variant of CVE-2022-44698, a vulnerability previously exploited by cybercriminals. Google has made technical details for both CVE-2023-24880 and CVE-2022-44698 available, along with indicators of compromise (IoCs) for the Magniber and Qakbot attacks.

Protect your system

The zero-day vulnerability CVE-2023-24880 in Windows SmartScreen security feature highlights the ever-evolving threats posed by cybercriminals. By exploiting this vulnerability, attackers can bypass critical security measures, potentially causing significant harm to unsuspecting users. It is essential for users to stay vigilant and keep their software up-to-date, applying the latest security patches as soon as they are available. As cyber threats continue to evolve, it is crucial to stay informed about new vulnerabilities and take necessary precautions to protect your digital assets.