Microsoft has released a huge batch of updates this week that fixes a large number of vulnerabilities, including some used by cybercriminals to distribute malware. Among the 150 patched vulnerabilities are the CVE-2024-26234 and CVE-2024-29988, two zero-day vulnerabilities of extreme severity.
Initially, Microsoft did not mark these two vulnerabilities as actively exploited, but both Sophos and Trend Micro, two cybersecurity companies, shared information with the company on how they were actively exploited in a series of attacks.
In the case of CVE-2024-26234, a proxy driver impersonation vulnerability, Sophos shared that this CVE is assigned to a malicious driver signed with a valid Microsoft Hardware Publisher certificate, and that it would have been used to deploy a previously disclosed backdoor by Stairwell.
CVE-2024-29988, on the other hand, is a patch to bypass the vulnerability CVE-2024-21412 (also a patch for vulnerability CVE-2023-36025), which allows attachments to bypass Microsoft Defender Smartscreen warnings when the file is opened. It was used by the hacking group Water Hydra, with financial motivations, to attack currency trading forums and Telegram channels for stock trading in spearphishing attacks that deployed the DarkMe remote access trojan (RAT).