Critical vulnerability bypassing Windows SmartScreen warning shows why layered security defences matter

A security researcher working at Fortinet’s FortiGuard Labs has revealed how a high-rated vulnerability in Microsoft’s Windows SmartScreen protection bypassed warning dialogues to deliver malware.

CVE-2024-21412 is known to have been exploited in the wild but was patched by Microsoft in February. The NIST National Vulnerability Database entry for CVE-2024-21412 states that the vulnerability has been “modified since it was last analysed” and is currently “awaiting reanalysis which may result in further changes to the information provided”.

What we know, however, is that the vulnerability is based on an error in the way that maliciously crafted files are handled and could lead to exploitation by information-stealing malware such as ACR Stealer and Lumia Stealer.

FortiGuard Labs researcher Cara Lin states in the newly published analysis that “initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file. The LNK file then downloads an executable file containing an HTA script. Once executed, the script decodes and decrypts PowerShell code to retrieve the final URLs, decoy PDF files, and a malicious shell code injector.”

Different injectors and PDFs are used so as to evade detection, and regions targeted so far include North America, Spain and Thailand.

The ACR Stealer malware is particularly nasty and can target applications as diverse as Google Chrome, Microsoft Edge, Mozilla Firefox, crypto wallets, Telegram, Signal, WhatsApp, BitWarden, 1Password, AnyDesk and MySQL Workbench to name but a few.

Experts: SmartScreen bypass emphasises importance of layered security defences

Sarah Jones, Cyber Threat Intelligence Research Analyst at Critical Start, warns that “this vulnerability has been actively exploited by multiple threat groups, emphasising the need for users to exercise caution and maintain updated security software”.

Even though the vulnerability itself has now been patched, understanding the tactics, techniques and procedures (TTPs) of malicious actors is critical in identifying personal business risk according to Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit.

“It’s essential to employ an intelligence-driven program, mapping TTPs to your defensive infrastructure and maturity to ensure not only user awareness but also preventive technology controls and visibility,” he said. “Pay attention also to industry standard best practices of threat and vulnerability patch management to keep your organisation safe.”

Mr Ngoc Bui, Cybersecurity Expert at Menlo Security, concludes that CVE-2024-21412 reveals the persistent and evolving nature of cyber threats targeting Microsoft’s SmartScreen.

“It demonstrates that attackers are constantly refining their tactics to bypass traditional security measures and deliver malicious payloads to high-value targets,” said Bui. “This highlights the need for proactive threat intelligence and layered defences to protect against these sophisticated attacks.”

Related reading

• Chris Doman, CTO and Co-Founder of Cado Security: “I think threats generally don’t change as fast as some people like to claim”
• How single sign-on creates a dangerous false sense of security
• It’s time to shift from basic security awareness training to influence programs
• King’s Speech moves cybersecurity in the right direction