EternalBlue and the Persistent Threat of N-Day Attacks
The Vulnerability Lifecycle Vulnerability management is often seen as a linear process: identify, assess, patch, and protect. Yet, the story of EternalBlue and other N-Day vulnerabilities tells a different tale, one of recurring threats that demand a cyclical approach. Despite being disclosed in 2017 and subsequently patched, EternalBlue (CVE-2017-0144) remains a linchpin of modern cyber attacks, reminding us that vulnerabilities don’t vanish with a single update. Instead, they linger, waiting for the unprepared.
EternalBlue: An N-Day Case Study EternalBlue targets a flaw in Microsoft’s SMB protocol, enabling attackers to execute arbitrary code remotely. It became infamous during the WannaCry ransomware outbreak, which crippled organisations globally by exploiting unpatched systems. While patches were available months before the attack, they hadn’t reached countless devices, particularly in critical industries reliant on legacy systems.
This pattern didn’t end with WannaCry. EternalBlue resurfaces in waves, used in advanced attack chains that combine lateral movement with credential harvesting. Its lifecycle exemplifies the cyclical nature of vulnerability management. Old flaws coming back to haunt the ill-prepared.
A Recurring Problem: N-Day Vulnerabilities EternalBlue is far from alone. A wide array of older CVEs has re-emerged in modern attacks and several high-profile vulnerabilities have continued to pose significant threats despite their initial disclosures and subsequent patches.
Log4Shell (CVE-2021-44228), a critical flaw in the Apache Log4j library, remains a prominent target, with attackers exploiting it for remote code execution in various systems. Similarly, BlueKeep (CVE-2019-0708), a vulnerability in Remote Desktop Protocol (RDP), has become a favourite for cybercriminals seeking to compromise unpatched systems. Follina (CVE-2022-30190) has also been widely exploited in phishing campaigns, allowing attackers to execute malicious scripts through crafted Office documents.
These CVEs, while patched, persist due to lapses in vulnerability management cycles. Organisations failing to revisit and fortify their defences against these flaws remain vulnerable to evolving attack strategies.
Closing the Circle Addressing N-Day vulnerabilities requires a shift in mindset. The goal isn’t just patching newly discovered flaws but continuously revisiting known vulnerabilities to prevent their exploitation.
Exploits thrive in environments with single-point defences, making network segmentation, intrusion detection, and behaviour-based monitoring essential, while legacy systems in critical infrastructure require regular risk assessments and virtual patching to mitigate risks.
Learning from EternalBlue The story of EternalBlue illustrates the danger of treating vulnerabilities as one-time problems. Its continued use in ransomware and malware campaigns demonstrates how attackers adapt, using familiar tools in unexpected ways. By closing the loop on vulnerability management—regularly cycling back to assess and secure against both new and old threats—organisations can disrupt this cycle of exploitation.
The resurgence of N-Day attacks, powered by vulnerabilities like Log4Shell, BlueKeep, and ProxyLogon, underscores this need for vigilance. Full-circle vulnerability management isn’t just a process, it’s a strategy for staying ahead in the ever-evolving cyber threat landscape.
By utilising NormCyber’s Vulnerability Management service, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.
Windows Defender SmartScreen Zero-Day Vulnerability (CVE-2024-21412)
Executive Summary This report details the discovery and exploitation of a zero-day vulnerability in Microsoft Windows Defender SmartScreen, identified as CVE-2024-21412. The vulnerability was exploited by the Water Hydra advanced persistent threat (APT) group, also known as DarkCasino, targeting financial market traders. The report provides an overview of the vulnerability, its exploitation methods, and mitigation strategies.
Introduction Windows Defender SmartScreen is a security feature designed to protect users from phishing attacks and malicious software by blocking potentially harmful downloads and websites. However, CVE-2024-21412 represents a significant bypass in this security measure, allowing attackers to execute malicious payloads without detection.
Vulnerability Details CVE-2024-21412 is a vulnerability that allows attackers to bypass Windows Defender SmartScreen protections by exploiting internet shortcuts. This vulnerability was discovered in mid-January 2024 and was actively exploited by the Water Hydra APT group. The attackers used fake software installers masquerading as legitimate software, such as Apple iTunes and NVIDIA, to deliver malicious payloads.
Exploitation Techniques The exploitation of CVE-2024-21412 involved several stages:
Phishing Campaign: Attackers used phishing emails containing PDFs with open redirects from Google DoubleClick Digital Marketing (DDM) technologies. These redirects led users to compromised websites hosting malicious Microsoft software installers.
Fake Software Installers: The malicious installers contained sideloaded DLL files that decrypted and executed the DarkGate malware payload. DarkGate operates on a malware-as-a-service (MaaS) model and is known for targeting financial institutions and other high-value targets.
Bypassing SmartScreen: By exploiting CVE-2024-21412, attackers were able to bypass Windows Defender SmartScreen protections, allowing the malicious payload to execute without detection.
Impact The exploitation of CVE-2024-21412 had significant implications for affected users and organisations. The DarkGate malware payload allowed attackers to gain remote access to infected systems, steal sensitive information, and potentially disrupt operations. Financial market traders were particularly targeted, leading to potential financial losses and compromised security.
Mitigation Strategies To mitigate the risk posed by CVE-2024-21412, Microsoft issued a patch on February 13, 2024. Users and organisations are advised to:
Apply Security Patches: Ensure that all systems are updated with the latest security patches from Microsoft.
Use Antivirus Software: Deploy reputable antivirus software to detect and block malicious payloads.
Educate Users: Train users to recognise phishing emails and avoid downloading software from untrusted sources.
Enable Additional Security Measures: Implement additional security measures, such as web filtering and endpoint protection, to enhance overall security posture.
Conclusion CVE-2024-21412 highlights the importance of proactive security measures and timely patching to protect against emerging threats. By staying informed and implementing robust security practices, organisations can mitigate the risk of zero-day vulnerabilities and safeguard their systems from malicious attacks.
Realst Infostealer Malware Poses as Web Conferencing Apps in Targeted Blockchain Industry Attack
Threat actors have been approaching individuals in the blockchain industry (Web3 workers) via the Telegram application. The individual is approached under the guise of a potential investment opportunity and told to download a conferencing app for further discussion. The app’s name has changed numerous times, the names include: Meetone, Meetio, Meeten, Clusee, Cuesee and there have potentially been many more.
Figure 1 – Conferencing app utilised by threat actors (The Hacker News)
The malware targets both MacOS and Windows devices. The Mac version of the software downloads a package file, which has been seen as CallCSSetup.pkg but may have other names. It uses the command line tool osascript upon execution, which requests the user enters their password. Once the user has submitted their password, a message appears, stating it cannot connect to the server and the user needs to try again or use a VPN. Whilst this is occurring, the Realst malware is stealing the user’s Telegram credentials and data from their keychain, Trezor and Ledger wallets, card information, auto-filled credentials and cookies from various browsers, including Opera, Brave and Chrome.
Figure 2 – Realst malware download (Cado)
A Nullsoft Scriptable Installer System (NSIS) file called MeetenApp.exe is used in the Realst distribution for Windows devices. The file has a digital signature using a stolen certificate from Brys Software. This installer contains a 7zip archive and the core of an Electron application, which contains Javascript and other resources. The Electron application connects to a remote server and downloads a password-protected archive zip file which contains a system profiler and the payload. The executable attempts to collect similar information to that from the MacOS version. However, the Windows version is better at evading detection, has a more complex payload delivery method and can maintain persistence through reboots by registry modification.
The Human Risk Management module from Norm can educate users on how to spot a likely malicious email. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious emails and links. It is also recommended to take a minute to assess an email or message before responding and never give any remote access to your device.
