www.helpnetsecurity.com Open in urlscan Pro
34.218.126.5  Public Scan

Submitted URL: https://www.helpnetsecurity.com/?p=311626%27
Effective URL: https://www.helpnetsecurity.com/2024/09/16/cve-2024-43461-exploited/
Submission: On September 16 via api from US — Scanned from DE

Form analysis 2 forms found in the DOM

POST

<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-298002 mc4wp-ajax" method="post" data-id="298002" data-name="Breaking news">
  <div class="mc4wp-form-fields"><img decoding="async" class="aligncenter" title="OPIS" src="https://img2.helpnetsecurity.com/posts2024/devider.webp" alt="OPIS">
    <img decoding="async" src="https://img2.helpnetsecurity.com/posts2024/newsletter_ad-550x98px_5.webp" class="aligncenter" alt="OPIS" title="OPIS">
    <br>
    <label>
      <input type="email" name="EMAIL" size="35" placeholder="Please enter your e-mail address" required="">
    </label> <input type="submit" value="Subscribe">
    <p></p>
    <p>
      <label>
        <input type="checkbox" name="AGREE_TO_TERMS" value="1" required=""> I have read and agree to the <a href="https://www.helpnetsecurity.com/privacy-policy/#personalized" target="_blank" rel="noopener">terms &amp; conditions</a>
      </label>
      <img decoding="async" class="aligncenter" title="OPIS" src="https://img2.helpnetsecurity.com/posts2024/devider.webp" alt="OPIS">
    </p>
  </div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
    value="1726515306"><input type="hidden" name="_mc4wp_form_id" value="298002"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
  <div class="mc4wp-response"></div>
</form>

POST

<form id="mc4wp-form-2" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
  <div class="mc4wp-form-fields">
    <div class="hns-newsletter">
      <div class="hns-newsletter__top">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__title">
              <i>
                        <svg class="hic">
                            <use xlink:href="#hic-plus"></use>
                        </svg>
                    </i>
              <span>Cybersecurity news</span>
            </div>
          </div>
        </div>
      </div>
      <div class="hns-newsletter__bottom">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__body">
              <div class="row">
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
                    <label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
                  </div>
                </div>
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
                    <label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
                  </div>
                </div>
              </div>
            </div>
            <div class="form-check form-control-lg mb-3">
              <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
              <label class="form-check-label" for="mcs3">(IN)SECURE - editor's choice selection of topics (twice per month)</label>
            </div>
            <div class="input-group mb-3">
              <input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
              <button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
            </div>
            <div class="form-check">
              <input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
              <label class="form-check-label" for="mcs4">
                <span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms &amp; conditions</a>
                </span>
              </label>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
    value="1726515306"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-2">
  <div class="mc4wp-response"></div>
</form>

Text Content

 * News
 * Features
 * Expert analysis
 * Videos
 * Events
 * Whitepapers
 * Industry news
 * Product showcase
 * Newsletters

 * 
 * 
 * 


Please turn on your JavaScript for this page to function normally.
Zeljka Zorz, Editor-in-Chief, Help Net Security
September 16, 2024
Share


MICROSOFT CONFIRMS SECOND 0-DAY EXPLOITED BY VOID BANSHEE APT (CVE-2024-43461)



CVE-2024-43461, a spoofing vulnerability affecting Windows MSHTML – a software
component used by various apps for rendering render web pages on Windows – “was
exploited as a part of an attack chain relating to CVE-2024-38112, prior to July
2024,” Microsoft has revealed.

The latter vulnerability was patched by the company in July 2024, and threat
hunters with Trend Micro’s Zero Day Initiative explained that it had been used
by the Void Banshee APT group to deliver Atlantida malware to targets around the
world.


THE ATTACK CHAIN IN ACTION

Based on analyzed samples of malicious files used in the attacks, Check Point
researchers concluded that CVE-2024-38112 had likely been exploited in the wild
for over a year.

CVE-2024-38112 was leveraged to force a URL file (posing as a PDF file) to be
opened with Internet Explorer instead of the Edge browser. The URL lead to a
page controlled by the attackers and triggered the download of a HTA file.

The specially crafted HTA (HTML application) file used CVE-2024-43461 to make it
appead as a PDF file, hiding its true extension and its malicious nature from
the user.

The HTA file carried a script that made use of PowerShell to download and
execute an additional script, create a new process for it, download additional
trojan loaders and deliver the Atlantida info-stealer.


CVE-2024-43461 FIXED

A fix for CVE-2024-43461 was released last week. At the time, Microsoft did not
classify it as “exploited”.

On Friday, though, the company confirmed it had been exploited, as part of an
attack chain that they “broke” by releasing a fix for CVE-2024-38112 in July.

“Customers should both the July 2024 and September 2024 security update to fully
protect themselves,” Microsoft said.






I have read and agree to the terms & conditions

Leave this field empty if you're human:





More about
 * 0-day
 * APT
 * Check Point
 * CVE
 * Microsoft
 * security update
 * Trend Micro
 * vulnerability
 * Windows

Share


FEATURED NEWS

 * Microsoft confirms second 0-day exploited by Void Banshee APT
   (CVE-2024-43461)
 * EchoStrike: Generate undetectable reverse shells, perform process injection
 * Compliance frameworks and GenAI: The Wild West of security standards

eBook: Navigating compliance with a security-first approach



SPONSORED

 * eBook: Cloud security skills
 * Download: The Ultimate Guide to the CISSP
 * eBook: Do you have what it takes to lead in cybersecurity?




DON'T MISS

 * Microsoft confirms second 0-day exploited by Void Banshee APT
   (CVE-2024-43461)
 * EchoStrike: Generate undetectable reverse shells, perform process injection
 * Compliance frameworks and GenAI: The Wild West of security standards
 * The ripple effects of regulatory actions on CISO reporting
 * eBook: Navigating compliance with a security-first approach




Cybersecurity news
Daily Newsletter
Weekly Newsletter
(IN)SECURE - editor's choice selection of topics (twice per month)
Subscribe
I have read and agree to the terms & conditions
Leave this field empty if you're human:

© Copyright 1998-2024 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us
×