CVE-2024-21412: SmartScreen Zero-Day Exploited by “Water Hydra” Hackers

As part of its routine security update on Patch Tuesday, Microsoft rectified a vulnerability in SmartScreen that was actively exploited by hackers to disseminate the remote access trojan DarkMe. Let us delve deeper into this breach for a more comprehensive understanding.

The discovery of the zero-day vulnerability CVE-2024-21412 (CVSS: 8.1) occurred on the eve of the New Year when researchers from Trend Micro observed its real-world exploitation by the financially motivated hacker group Water Hydra, also known as DarkCasino.

Microsoft characterizes the vulnerability as allowing an unauthenticated attacker to send specially crafted files to their victims that circumvent standard security checks.

Cyber Espionage

For a successful attack, the perpetrator needs to convince the user to click on a file link, as infection does not proceed without this action. Social engineering often plays a key role in this process.

Security researcher Peter Girnus from Trend Micro, who reported CVE-2024-21412, noted in his technical report that it enables the bypassing of a fix for another SmartScreen vulnerability—CVE-2023-36025 (CVSS: 8.8), which was addressed in November 2023.

The attacks exploiting this vulnerability targeted currency market traders, aiming at data theft or the deployment of ransomware, according to Trend Micro.

Primarily organized through stock trading forums and thematic Telegram channels, the malicious link masquerading as a legitimate site for traders was disseminated.

The cybercriminals’ tactics included posting messages in various languages with offers or proposals to assist in stock trading, as well as distributing fake tools and charts for technical analysis. The ultimate goal of the fraudsters was to coerce traders into installing the malicious software DarkMe by any means necessary.

The Water Hydra group had previously exploited zero-day vulnerabilities, including a critical flaw in the WinRAR software, affecting over 500 million users.

These attacks underscore the importance of regularly updating software to promptly address vulnerabilities and being aware of existing cyber security threats. Only through such vigilance can one effectively protect against hackers and avoid becoming a victim of financial fraud.