Microsoft has released security updates for the month of April 2024 to remediate a record 149 flaws, two of which have come under active exploitation in the wild.

Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity. The update is aside from 21 vulnerabilities that the company addressed in its Chromium-based Edge browser following the release of the March 2024 Patch Tuesday fixes.

The two shortcomings that have come under active exploitation are below –

• CVE-2024-26234 (CVSS score: 6.7) – Proxy Driver Spoofing Vulnerability
• CVE-2024-29988 (CVSS score: 8.8) – SmartScreen Prompt Security Feature Bypass Vulnerability

While Microsoft’s own advisory provides no information about CVE-2024-26234, cybersecurity firm Sophos said it discovered in December 2023 a malicious executable (“Catalog.exe” or “Catalog Authentication Client Service”) that’s signed by a valid Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate.

Authenticode analysis of the binary has revealed the original requesting publisher to Hainan YouHu Technology Co. Ltd, which is also the publisher of another tool called LaiXi Android Screen Mirroring.

The latter is described as “a marketing software … [that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting.”

Present within the purported authentication service is a component called 3proxy that’s designed to monitor and intercept network traffic on an infected system, effectively acting as a backdoor.

“We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application,” Sophos researcher Andreas Klopsch said.

The cybersecurity company also said it discovered multiple other variants of the backdoor in the wild going all the way back to January 5, 2023, indicating that the campaign has been underway at least since then. Microsoft has since added the relevant files to its revocation list.

The other security flaw that has reportedly come under active attack is CVE-2024-29988, which – like CVE-2024-21412 and CVE-2023-36025 – allows attackers to sidestep Microsoft Defender Smartscreen protections when opening a specially crafted file.

“To exploit this security feature bypass vulnerability, an attacker would need to convince a user to launch malicious files using a launcher application that requests that no UI be shown,” Microsoft said.

“In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the remote code execution vulnerability.”

The Zero Day Initiative revealed that there is evidence of the flaw being exploited in the wild, although Microsoft has tagged it with an “Exploitation More Likely” assessment.

Another vulnerability of importance is CVE-2024-29990 (CVSS score: 9.0), an elevation of privilege flaw impacting Microsoft Azure Kubernetes Service Confidential Container that could be exploited by unauthenticated attackers to steal credentials.

“An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to,” Redmond said.

In all, the release is notable for addressing as many as 68 remote code execution, 31 privilege escalation, 26 security feature bypass, and six denial-of-service (DoS) bugs. Interestingly, 24 of the 26 security bypass flaws are related to Secure Boot.

“While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future,” Satnam Narang, senior staff research engineer at Tenable, said in a statement.

The disclosure comes as Microsoft has faced criticism for its security practices, with a recent report from the U.S. Cyber Safety Review Board (CSRB) calling out the company for not doing enough to prevent a cyber espionage campaign orchestrated by a Chinese threat actor tracked as Storm-0558 last year.

It also follows the company’s decision to publish root cause data for security flaws using the Common Weakness Enumeration (CWE) industry standard. However, it’s worth noting that the changes are only in effect starting from advisories published since March 2024.

“The addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability,” Adam Barnett, lead software engineer at Rapid7, said in a statement shared with The Hacker News.

“The CWE program has recently updated its guidance on mapping CVEs to a CWE Root Cause. Analysis of CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle (SDLC) workflows and testing, as well as helping defenders understand where to direct defense-in-depth and deployment-hardening efforts for best return on investment.”

In a related development, cybersecurity firm Varonis detailed two methods that attackers could adopt to circumvent audit logs and avoid triggering download events while exfiltrating files from SharePoint.

The first approach takes advantage of SharePoint’s “Open in App” feature to access and download files, whereas the second uses the User-Agent for Microsoft SkyDriveSync to download files or even entire sites while miscategorizing such events as file syncs instead of downloads.

Microsoft, which was made aware of the issues in November 2023, has yet to release a fix, although they have been added to their patch backlog program. In the interim, organizations are recommended to closely monitor their audit logs for suspicious access events, specifically those that involve large volumes of file downloads within a short period.

“These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events,” Eric Saraga said.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

Feb 12, 2024The Hacker NewsInfrastructure Security / Software Supply Chain

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that it’s partnering with the Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group to publish a new framework to secure package repositories.

Called the Principles for Package Repository Security, the framework aims to establish a set of foundational rules for package managers and further harden open-source software ecosystems.

“Package repositories are at a critical point in the open-source ecosystem to help prevent or mitigate such attacks,” OpenSSF said.

“Even simple actions like having a documented account recovery policy can lead to robust security improvements. At the same time, capabilities must be balanced with resource constraints of package repositories, many of which are operated by non-profit organizations.”

Notably, the principles lay out four security maturity levels for package repositories across four categories of authentication, authorization, general capabilities, and command-line interface (CLI) tooling –

• Level 0 – Having very little security maturity.
• Level 1 – Having basic security maturity, such as multi-factor authentication (MFA) and allowing security researchers to report vulnerabilities
• Level 2 – Having moderate security, which includes actions like requiring MFA for critical packages and warning users of known security vulnerabilities
• Level 3 – Having advanced security, which requires MFA for all maintainers and supports build provenance for packages

All package management ecosystems should be working towards at least Level 1, the framework authors Jack Cable and Zach Steindler note.

The ultimate objective is to allow package repositories to self-assess their security maturity and formulate a plan to bolster their guardrails over time in the form of security improvements.

“Security threats change over time, as do the security capabilities that address those threats,” OpenSSF said. “Our goal is to help package repositories more quickly deliver the security capabilities that best help strengthen the security of their ecosystems.”

The development comes as the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warned of security risks arising as a result of using open-source software for maintaining patient records, inventory management, prescriptions, and billing.

“While open-source software is the bedrock of modern software development, it is also often the weakest link in the software supply chain,” it said in a threat brief published in December 2023.

Jan 23, 2024NewsroomCyber Crime / Dark Web

Conor Brian Fitzpatrick has been sentenced to time served and 20 years of supervised release for his role as the creator and administrator of BreachForums.

Fitzpatrick, who went by the online alias “pompompurin,” was arrested in March 2023 in New York and was subsequently charged with conspiracy to commit access device fraud and possession of child pornography. He was later released on a $300,000 bond, and in July 2023, he pleaded guilty to the charges.

BreachForums was a major cyber crime marketplace that facilitated the trafficking of stolen data since March 2022. Prior to its shutdown, the website boasted of over 340,000 members.

Among the stolen items commonly sold on the platform were bank account information, Social Security numbers, personally identifying information (PII), hacking tools, breached databases, and account login information for compromised online accounts with service providers and merchants.

BreachForums also advertised services for gaining unauthorized access to victim systems. In all, millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies are estimated to have been impacted.

On top of that, Fitzpatrick operated a “Leaks Market,” acting as a trusted middleman (i.e., escrow) between individuals on the website who sought to trade hacked or stolen data, tools, and other illicit material.

“In addition, Fitzpatrick allegedly managed an ‘Official’ databases section through which BreachForums directly sold access to verified hacked databases through a “credits” system administered by the platform,” the U.S. Department of Justice said.

Court records obtained by DataBreaches.net show that Fitzpatrick’s mental health may have had a role in him escaping a prison sentence. A day before sentencing, prosecutors recommended a 15-year prison sentence for the defendant.

The 21-year-old is expected to serve the first two years of supervised release on home arrest with a GPS location tracker and undergo mental health treatment. He has also been ordered to refrain from using the internet for the first year and register with the state sex offender registration agency in any state where he resides.

The amount of restitution Fitzpatrick has to pay for victims’ losses has yet to be determined. Earlier this month, Fitzpatrick was jailed for violating the terms of his pre-sentencing release by using an unmonitored computer and a virtual private network (VPN).

That having said, law enforcement seizure of the domains in March 2023 has done little to stop the illegal service from going off the grid. In November 2023, BreachForums was resurrected by the infamous ShinyHunters group, who were previously known to be active on the Raid Forums, the takedown of which led to the launch of BreachForums.