'Void Banshee' Exploits Second Microsoft Zero-Day

Source: Anucha Cheechang via Shutterstock

Microsoft has recategorized a bug that the company fixed in this month’s Patch Tuesday update as a zero-day vulnerability, which the “Void Banshee” advanced persistent threat group has been exploiting since before July.

The bug, identified as CVE-2024-43461, is a remotely exploitable platform-spoofing vulnerability in the legacy MSHTML (Trident) browser engine that Microsoft continues to include in Windows for backward compatibility purposes, and it’s one of two very similar issues that Void Banshee is using in its attacks.

Affects All Supported Windows Versions

The vulnerability affects all supported versions of Windows and gives remote attackers a way to execute arbitrary code on affected systems. An attacker, however, would need to convince a potential victim to visit a malicious Web page or to click on an unsafe link for any exploit to work.

Microsoft assigned the flaw a severity rating of 8.8 on the 10-point CVSS scale when it initially disclosed the bug on Sept. 10. At that time, the company’s advisory made no mention of the vulnerability being a zero-day bug. Microsoft revised that assessment on Sept. 13 to indicate attackers had, in fact, actively been exploiting the flaw “as part of an attack chain [related] to CVE-2024-38112,” a MSHTML platform spoofing vulnerability that the company patched in July 2024.

“We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain,” Microsoft said in its updated advisory.

The company wants customers to apply its patches from both the July 2024 update and the September 2024 update to fully protect themselves against exploits targeting CVE-2024-43461. Following Microsoft’s Sept. 13 update, the US Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 16 added the flaw to its known exploited vulnerabilities database with a deadline of Oct. 7 for federal agencies to implement the vendor’s mitigations for it.

CVE-2024-43461 is similar to CVE-2024-38112 in that it allows an attacker to cause a user-interface — in this case, the browser — to display erroneous data. Check Point Research, which Microsoft has credited with discovering CVE-2024-38112, has described the flaw as allowing an adversary to send a crafted URL or Internet shortcut file that when clicked would trigger Internet Explorer — even when disabled — to open a malicious URL. Check Point said it had observed threat actors also use a separate novel trick for dressing up malicious HTML application (HTA) files as innocuous-looking PDF documents when exploiting the flaw.

Trend Micro’s Zero Day Initiative (ZDI), which has also claimed credit for discovering CVE-2024-38112 — and has a beef with Microsoft for not acknowledging them — later reported Void Banshee as exploiting the vulnerability to drop the Atlantida malware on Windows systems. In the attacks that Trend Micro observed, the threat actor lured victims using malicious files spoofed as book PDFs that they distributed via Discord servers, file-sharing websites and other vectors. Void Banshee is a financially motivated threat actor that researchers have observed targeting organizations in North America, Southeast Asia, and Europe.

A Two-Bug Microsoft Attack Chain

According to Microsoft’s updated advisory, it turns out that attackers have been using CVE-2024-43461 as part of an attack chain also involving CVE-2024-38112. Researchers at Qualys previously noted that exploits against CVE-2024-38112 would work equally well for CVE-2024-43416, because both are near-identical flaws.

Peter Girnus, senior threat researcher at ZDI who Microsoft has credited for CVE-2024-43461, says the attackers used CVE-2024-38112 to navigate to an HTML landing page through Internet Explorer using the MHTML protocol handler inside of a .URL file. “This landing page contains an <iframe> which downloads an HTA file where the HTA extension is spoofed using CVE-2024-43461” to make the file appear to be a PDF to the victim, he says.

Girnus says ZDI was aware that the attackers were exploiting CVE-2024-43461 but assumed the patch for CVE-2024-38112 fixed the issue. “We however reversed this patch to realize that the spoofing vulnerability was not fixed. We promptly alerted Microsoft,” he says.

In its July report on Void Banshee exploiting CVE-2024-38112, Trend Micro said the flaw is a prime example of how organizations can get tripped up by “unsupported Windows relics” such as MSHTML, and end up having attackers drop ransomware, backdoors, and other malware on their systems. The attack surface is significant, too: A study that Sevco conducted of 500,000 Windows 10 and Windows 11 systems in the immediate aftermath of Microsoft’s disclosure of CVE-2024-38112 showed that more than 10% are missing any kind of endpoint protection control and nearly 9% are missing controls for patch management, leaving them completely blind to threats.

“Environmental vulnerabilities such as missing endpoint security or patch management controls on devices combined with CVE vulnerabilities compound the risk that companies will leave paths to data exposed and allow malicious actors to exploit vulnerabilities like [CVE-2024-43461]," says Greg Fitzgerald, co-founder of Sevco. “It’s critical for enterprises to take the first step of patching this vulnerability, but it can’t stop there.”

About the Author

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.