Heimdal
Home > Cybersecurity News

Windows Zero-day Exploited for Ransomware Was Fixed

Microsoft Repaired the CVE-2022-44698 Vulnerability on December Patch Tuesday.

Last updated on December 16, 2022

article featured image

Contents:

Microsoft announced an important zero-day that threat actors used for launching ransomware attacks was resolved during the latest Patch Tuesday. The team has been working to find a solution since October.

The CVE-2022-44698 zero-day vulnerability was actively exploited in several attacks that delivered Magniber ransomware and Qbot malware payloads.

How Did Threat Actors Exploit the Windows Zero-day?

According to cyber researchers, malicious stand-alone JavaScript files were used for exploiting the CVE-2022-44698 zero-day, in order to go around Mark-of-the-Web security warnings that Windows displayed to prevent its users that something was wrong.

An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging

Source

Microsoft said the vulnerability could only be exploited over three instances:

  • The threat actor hosts a malicious site that exploits the bypass in a web-based attack
  • Through an email or instant message that would contain a specially crafted URL file to exploit the bypass
  • Through websites that are either compromised, accept, or host the content provided by users that could hold specially crafted content to exploit the security feature bypass.

No matter the method of choice, threat actors had to deceive their targets to open the malicious files or access the attacker-controlled websites with CVE-2022-44698 exploits.

Attacks That Used the CVE-2022-44698 Vulnerability

In October, HP’s threat intelligence team reported the discovery of phishing attacks that stand-alone JS JavaScript files were delivering Magniber ransomware.

The SmartCheck was tricked to allow the malicious files to execute with no warning being displayed and install the Magniber ransomware, although it was MoTW flagged.

The same Windows zero-day was exploited during November for phishing attacks that successfully dropped Qbot malware without any MOTW warnings being displayed.

Cyber researchers claim that the same malformed key used in the Magniber ransomware attacks was used for the JS files used in the QBot phishing campaign.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Related Articles

What Is Vulnerability Management [Everything You Need to Know]Phishing Attack Strikes Apple Users During Black Friday SalesBlack Basta Ransomware Gang Infiltrates U.S. Companies via Qakbot MalwareNew Windows Zero-Day Vulnerability Lets JavaScript Files Bypass Security WarningsMagniber Ransomware Strikes Again Via Fake Windows Security UpdatesWhat Is a CVE? Common Vulnerabilities and Exposures ExplainedRansomware Explained. What It Is and How It WorksDefining Zero-Day VulnerabilityPhishing attacks explained: How it works, Types, Prevention and Statistics

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V