overview

This week, Microsoft patched two zero-day vulnerabilities (CVE-2024-29988 and CVE-2024-26234) that are currently being exploited in the wild.  

CVE-2024-29988 (CVSS 8.8) 

CVE-2024-29988 is a SmartScreen prompt security feature bypass that can be used to bypass the Mark of the Web (MotW) security feature. While Microsoft's official advisory does not acknowledge ongoing exploitation, researchers from Trend Micro's Zero Day Initiative discovered that the vulnerability is being used by the threat actor, Water Hydra, in an attack campaign. This campaign uses Microsoft Defender SmartScreen as a vector to distribute the DarkMe malware to financial market traders. 

CVE-2024-26234 (CVSS 6.7) 

This vulnerability is a proxy driver spoofing flaw that was reported to Microsoft by Sophos in December 2023. Attacks utilizing this exploit were discovered through an analysis of an executable file, signed with a valid Windows Hardware Compatibility Program (WHCP) certificate, associated with an Android screen mirroring application named LaiXi. The analyzed file was a malicious backdoor file. LaiXi is an application designed for marketing purposes, allowing users to link multiple mobile devices and manage them collectively. It automates various tasks such as bulk following, liking, and commenting to enhance the user's audience reach. 

Microsoft has addressed the vulnerabilities by providing patches. Avertium recommends applying the patches for CVE-2024-29988 and CVE-2024-26234 as soon as possible.  

 

 

avertium's recommendationS

  • CVE-2024-29988 – Avertium recommends reading Microsoft’s advisory for patch guidance.  
  • CVE-2024-26234 - Avertium recommends reading Microsoft’s advisory for patch guidance. 
    • Users are advised to exercise extreme caution when downloading, installing, and utilizing LaiXi.  

 

 

INDICATORS OF COMPROMISE (IoCs)

CVE-2024-26234 

SHA256 

  • 0dae9c759072f9c0e5a61a9de24a89e76da35ffab8ff9610cc90df417c741f3f 
  • cec73bddc33cd11ba515e39983e81569d9586abdaabbdd5955389735e826c3c7 
  • 230c9c47abb17e3caa37bcb1b8e49b30e671e6c50e88f334107e3350bee13385 
  • 5a519932c20519e58a004ddbfee6c0ed46f1cee8d7c04f362f3545335904bae2 
  • 4c23a199152db6596ccafb5ea2363500e2e1df04961a4ede05168999da87d39a 
  • 815e21de6fab4b737c7dd844e584c1fc5505e6b180aecdd209fbd9b4ed14e4b2 
  • 0ee12274d7138ecd0719f6cb3800a04a6667968c1be70918e31c6f75de7da1ba 
  • acc5c46ae2e509c59a952269622b4e6b5fa6cf9d03260bfebdfaa86c734ee6ea 
  • 593f8ed9319fd4e936a36bc6d0f163b9d43220e61221801ad0af8b1db35a0de5 
  • c0c648e98ec9d2576b275d55f22b8273a6d2549f117f83a0bcc940194f1d0773 
  • d6a1db6d0570576e162bc1c1f9b4e262b92723dbabdde85b27f014a59bbff70c 
  • eccfd9f2d1d935f03d9fbdb4605281c7a8c23b3791dc33ae8d3c75e0b8fbaec6 
  • 3c931548b0b8cded10793e5517e0a06183b76fa47d2460d28935e28b012e426c 

Domain 

  • catalog[.]micrisoftdrivers[.]com 

At this time, there are no known IoCs associated with CVE-2024-29988. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 





 

SUPPORTING DOCUMENTATION

NVD - CVE-2024-26234 (nist.gov) 

NVD - CVE-2024-29988 (nist.gov) 

CVE-2024-26234 - Security Update Guide - Microsoft - Proxy Driver Spoofing Vulnerability 

CVE-2024-29988 - Security Update Guide - Microsoft - SmartScreen Prompt Security Feature Bypass Vulnerability 

Microsoft Patches Two Zero-Days Exploited for Malware Delivery - SecurityWeek 

Microsoft patches two actively exploited zero-days (CVE-2024-29988, CVE-2024-26234) - Help Net Security 

IoCs/3proxy-backdoor-IOCs.csv at master · sophoslabs/IoCs · GitHub 

 
Chat With One of Our Experts



microsoft Zero-Day Vulnerability Flash Notice Microsoft Vulnerability Microsoft Zero-Day Blog