Microsoft released security updates for Windows yesterday on the March 2023 Patch Day. Among the patched security updates, several of which are rated critical by Microsoft, is a security issue that is exploited actively in the wild.
The issue was reported by Google’s Threat Analysis Group. The threat actor used “an unpatched security bypass in Microsoft’s SmartScreen security feature” to push the Magniber ransomware on user systems.
Google describes the attack in detail, stating that the attackers use “MSI files signed with an invalid but specially crafted Authenticode signature”. While the signature is not valid, it causes a SmartScreen error that “results in bypassing the security warning dialog” that is usually displayed to Windows users when untrusted files with a Mark-of-the-Web are executed on the device.
More than 100,000 downloads of malicious MSI files have been observed by Google since January 2023. More than 80% of these downloads happened in Europe, a “notable divergence from Magniber’s typical targeting”, which is aimed at South East Asia. Google notes that Chrome browser’s Safe Browsing protection has displayed warnings about the download to more than 90% of affected users.
Attackers used a previous SmartScreen bypass last year to attack Windows devices. Security researchers from HP Threat Research and 0Patch provided an analysis of the issue. 0Patch noted that the malicious files had invalid signatures, and that these files should never have been trusted by Windows. The malformed nature of the signature exploited the bug in SmartScreen, which led to Windows trusting the malicious file without showing a warning to the user on execution.
Microsoft released a patch in September, targeted under CVE-2022-44698, and rated the issue as moderate. This initial patch did not address the root cause of the security issue, but addressed only the particular method used by attacks at the time. Google says in its conclusion that “the root cause behind the SmartScreen security bypass was not addressed” and that this allowed the attackers to “quickly identify a variant of the original bug”, which they now use in attacks.
Microsoft tracks the new security issue as CVE-2023-24880 and has rates it as a moderate threat. It remains to be seen if the second security patch released by Microsoft plugs the entire SmartScreen bug, or if in a month or two, another variant emerges that is exploiting yet another way to bypass SmartScreen on Windows.
Google offers detailed information of the attack on its blog.
Windows 10 and 11, as well as Windows Server administrators, may install the March 2023 security updates to patch the issue.