The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for federal agencies to secure their systems against a recently patched zero-day vulnerability in Windows, known as MSHTML (CVE-2024-43461). This flaw was exploited by the hacking group Void Banshee in a series of infostealer malware attacks.
Initially disclosed during Microsoft’s Patch Tuesday, CVE-2024-43461 was not initially flagged as actively exploited. However, new findings have prompted Microsoft to update their advisory, confirming that attackers had exploited the vulnerability before it was patched. These attacks were part of a chain that also involved another vulnerability, CVE-2024-38112.
According to a recent report, the Void Banshee group used this zero-day vulnerability to deliver malicious files designed to steal sensitive information. The flaw allows remote attackers to run arbitrary code on unpatched systems by tricking users into visiting harmful websites or opening disguised files. A key tactic involved hiding the file’s true extension using encoded braille whitespace characters, making dangerous files appear harmless.
Once the flaw was exploited, attackers deployed malware capable of stealing passwords, authentication tokens, and even cryptocurrency wallets. This malware, identified as Atlantida, has been linked to attacks targeting organizations across North America, Europe, and Southeast Asia. The hacker group responsible, Void Banshee, is known for financially motivated cyber campaigns aimed at stealing data from vulnerable systems.
CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has ordered federal agencies to secure their systems by October 7, 2024, following Binding Operational Directive 22-01. These types of vulnerabilities pose a severe risk to the federal network, and the agency has urged both public and private organizations to prioritize patching the flaw.
Beyond federal agencies, private businesses worldwide are strongly encouraged to mitigate this vulnerability to avoid ongoing and future attacks. Microsoft has also patched several other critical vulnerabilities, including one exploited in LNK stomping attacks, highlighting the importance of keeping systems updated.
To prevent such attacks, organizations should ensure they are regularly applying the latest security patches and updates. Monitoring network traffic for unusual activity, particularly related to suspicious file downloads, is essential.