25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

APT Group Actively Exploiting Windows MSHTML Platform Zero Day Flaw

Posted By on Sep 17, 2024

A vulnerability patched by Microsoft on September Patch Tuesday is being exploited to deliver information stealing malware. The Microsoft Windows MSHTML Platform spoofing vulnerability is tracked as CVE-2024-43461 and has a CVSS base score of 8.8 (high severity). The vulnerability is rated as important by Microsoft, which stated that the vulnerability had not been exploited in attacks.

Microsoft has now updated its advisory to confirm that the vulnerability has been exploited before July 2024 in an exploit chain with a second MSHTML spoofing vulnerability, CVE-2024-38112, a patch for which was released in its July 2024 security updates to break the attack chain. Trend Micro Zero Day Initiative’s Peter Girnus was aware that the flaw had been exploited but assumed that the patch to fix the CVE-2024-38112 vulnerability had successfully killed the attack chain and prevented exploitation; however, when the CVE-2024-38112 patch was reversed, he realized the issue had not been fixed and alerted Microsoft.

The vulnerability allows an attacker to cause the browser to display erroneous data and ultimately remotely execute code on unpatched Windows systems. In order to exploit the vulnerability, an attacker must convince a user to open a maliciously crafted file or visit a malicious web page. According to Girnus, the flaw is due to how Internet Explorer prompts a user after a file is downloaded. “A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user.”

The vulnerability is known to have been exploited by the Void Banshee Advanced Persistent Threat (APT) group to deliver malicious HTA files disguised as PDF documents, that deliver malware capable of stealing passwords, authentication cookies, and cryptocurrency wallets. The U.S. Cybersecurity and Infrastructure Security Agency has added the vulnerability to its Known Exploited Vulnerability (KEV) Catalog and has given federal agencies three weeks to ensure the vulnerability is patched. In order to fully protect against exploitation, both the July 2024 and September 2024 security updates should be applied.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist