The PacketWatch Intelligence Team
In this week's threat intel report, we delve into the Microsoft Windows MHTML 0-Day vulnerability, Rockyou2024 implications, and vulnerability roundup.
Microsoft Windows MHTML 0-Day
Security researcher Haifei Li of Check Point Research discovered and disclosed a high-severity MHTML spoofing issue in Microsoft Windows. According to Li's findings, samples exploiting this vulnerability have been discovered as early as January 2023.
The vulnerability is tracked as CVE-2024-38112, and a patch has been included as part of Microsoft's July Patch Tuesday.
How Does It Work?
Threat actors send their target a Windows Internet Shortcut File (.url file) that spoofs a more legitimate-looking file type, such as a PDF. Once the user clicks the file, it downloads an HTML Application (HTA) file that installs password-stealing malware.
Fig. 1 – Example .url file contents
Source: Check Point Research
As seen in the .url file above, the URL variable points to an mhtml URI handler. MHTML (MIME Encapsulation of Aggregate HTML Documents) was introduced with Microsoft Internet Explorer, and is used to encapsulate the entire contents of a webpage into a single archive. This mhtml handler launches Internet Explorer instead of the default browser (even on Windows 10 and 11).
Internet Explorer is notoriously insecure and offers far less security protections than modern web browsers. By using this method, the only message the user will see as a "security warning" is that a website wants to open web content using a program on the computer. The figure below shows the dialog prompt the user sees after they click the .url file.
Fig. 2 – Internet Explorer Dialog Box
Source: Check Point Research
Finally, once the user clicks "Open", they will see the Security Warning. Notice how even though the Internet Explorer Dialog box above claims the file is a .pdf, the security warning below shows it is an HTA file:
Fig. 3 – Internet Explorer Security Warning
Source: Check Point Research
How To Protect Your Organization
- Apply the latest Microsoft patch for CVE-2024-38112.
- Educate users about suspicious file types, such as .url. The exploit for this vulnerability requires several user interactions (user clicks) to succeed.
- Block uncommon/unsafe file extensions for email attachments.
Additional Resources
- https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38112
https://www.bleepingcomputer.com/news/security/windows-mshtml-zero-day-used-in-malware-attacks-for-over-a-year/
RockYou2024 Implications
On July 4, a file containing almost 10 billion leaked passwords called Rockyou2024 was published to a hacking forum.
It is important to understand both what this file is and what it is not. The file does contain almost 10 billion plaintext passwords that have been compiled from thousands of data breaches over many years. It does not contain any sort of user information such as email addresses that could be tied to these passwords.
Threat actors can leverage dictionary files such as Rockyou2024 to assist with cracking password hashes in offline attacks or brute-forcing any target system that is not protected against brute-force attacks.
How To Protect Your Organization
- Utilize strong, random passwords or passphrases. Password dictionaries such as Rockyou2024 tend to contain simple, common, and widely used passwords.
- Use unique passwords on every account. This prevents attack techniques such as credential stuffing. Password managers are a great way to help users manage large sets of unique passwords.
- Implement multi-factor authentication (MFA) wherever possible. With MFA, even if the threat actor knows the correct password, there is still another control they must bypass before they can successfully authenticate.
- Implement rate-limiting and account lockout features where possible. This greatly reduces the impact of brute-force attacks.
Additional Resources
- https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/
- https://www.mcafee.com/blogs/internet-security/rockyou2024-unpacking-the-largest-password-leak-in-history/
Vulnerability Roundup
New Microsoft Outlook 0-click RCE CVE-2024-38021
Security researchers at Morphisec discovered a new 0-click remote code execution vulnerability in Microsoft Outlook, tracked as CVE-2024-38021. While few technical details about the vulnerability and exploit have been shared, Morphisec claims the exploit requires 0-click interaction from the victim if the malicious email is sent from a trusted sender. The vulnerability disclosure also states this vulnerability has a relatively high complexity. Full technical details and proof-of-concept exploit code are scheduled to be revealed at DefCon 32 in early August. Administrators are strongly advised to implement the latest Microsoft patch as soon as possible.
- https://blog.morphisec.com/cve-2024-38021-microsoft-outlook-moniker-rce-vulnerability
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38021
Microsoft SharePoint RCEs
A set of new remote code execution vulnerabilities in Microsoft SharePoint were disclosed as part of Microsoft's July Patch Tuesday, tracked as CVE-2024-38094, CVE-2024-38024, and CVE-2024-38023. All of the vulnerabilities stem from improper handling of deserialization of file parameters during file uploads and API requests. Proof-of-concept code is already in the wild. However, in order for a threat actor to successfully exploit these vulnerabilities, they must be authenticated as a user with Site Owner permissions or higher. Administrators are urged to apply the Microsoft patches as soon as possible.
- https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-subscription-edition-july-9-2024-kb5002606-37569899-5abc-49a2-bd5e-f0ae45528f8f
- https://securityonline.info/rce-vulnerabilities-in-microsoft-sharepoint-server-poc-exploit-code-published/
- https://github.com/testanull/MS-SharePoint-July-Patch-RCE-PoC
- https://foresiet.com/blog/understanding-sharepoint-remote-code-execution-exploits
Exim mail transfer agent (MTA) Security Bypass CVE-2024-39929
A critical vulnerability in Exim MTA was disclosed last week. The flaw is due to incorrect parsing of multiline RFC2231 header filenames, which allows threat actors to bypass a $mime_filename extension-blocking protection mechanism, resulting in executable (potentially malicious) attachments to be delivered to the mailboxes of end users. This vulnerability affects Exim versions through 4.97.1. A recent internet scan by Censys shows over 1,500,000 potentially vulnerable servers are open to the internet. Administrators are urged to patch to version 4.98 or higher as soon as possible.
- https://censys.com/cve-2024-39929/
- https://www.bleepingcomputer.com/news/security/critical-exim-bug-bypasses-security-filters-on-15-million-mail-servers/
- https://nvd.nist.gov/vuln/detail/CVE-2024-39929
Blast-RADIUS CVE-2024-3596
An authentication bypass vulnerability in the RADIUS protocol was disclosed in early July. Tracked as CVE-2024-3596 and nicknamed Blast-RADIUS, the exploit for this vulnerability is a man-in-the-middle attack between the RADIUS client and server where a threat actor can forge a valid protocol accept message.
This forgery is possible due to the RADIUS protocol using MD5 hashes in authentication requests that are susceptible to what is known as an MD5 collision (where 2 or more inputs have the same MD5 hash value). Once the forged MD5 hash is computed by the threat actor, they can inject it into the communication stream and log in as an authenticated user without actually knowing the credentials. Details of the attack method can be found here.
According to the research on this attack, the MD5 forgery takes several minutes, which is longer than the typical timeouts for RADIUS deployments. However, they noted that the exploitation process has potential to be optimized by a well-resourced attacker, and the time to successfully calculate the forged MD5 hash can be significantly reduced.
Network administrators are urged to switch to the more secure RADIUS over TLS (RADSEC) and restrict access from the open internet where possible.
- https://www.blastradius.fail/attack-details
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3596
- https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/
- https://datatracker.ietf.org/doc/html/rfc6614
- https://www.bleepingcomputer.com/news/security/new-blast-radius-attack-bypasses-widely-used-radius-authentication/
Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.
If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.