Microsoft Releases December Security Updates: Microsoft has patched a security hole that malicious actors used to bypass Windows SmartScreen and spread the Magniber ransomware and Qbot malware.
Security features like Protected View in Microsoft Office rely on MOTW tagging, but an attacker “may construct a malicious file that would circumvent Mark of the Web (MOTW) safeguards,” Redmond said on Tuesday.
Microsoft claims that there are just three ways in which this security hole might be exploited:
- In a web-based attack scenario, an attacker could host a malicious website that exploits the security feature bypass.
- In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file to exploit the bypass.
- Compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass.
All of these exploits for CVE-2022-44698 require, however, that the target be tricked into opening malicious files or visiting attacker-controlled websites. According to an announcement made by Microsoft to BleepingComputer in late October.
The firm has been working on a remedy for this actively exploited zero-day vulnerability ever since. The business delivered security upgrades to address this zero-day during the December 2022 Patch Tuesday.
Exploited in malware attacks
Microsoft has fixed a zero-day vulnerability exploited to bypass the Windows SmartScreen security feature to deliver Magniber ransomware and Qbot malware.https://t.co/jQ1kMp5bjX pic.twitter.com/WfewxofuC4
— Sergiu Gatlan (@serghei) December 14, 2022
Because of this, Magniber ransomware would be installed without any security warnings from SmartCheck, despite being marked as a Member of the Week.
As we reported last month, the same Windows zero-day vulnerability was used in phishing attacks to distribute the Qbot malware without triggering MOTW security alerts.
It’s Patch Tuesday. But at least it’s the last one for 2022! 🍻https://t.co/irYo6G823Z
— Mary Jo Foley (@maryjofoley) December 13, 2022
ProxyLife, a security firm, discovered that the bad actors behind the current QBot phishing campaign shifted to exploiting a zero-day in Windows by distributing JS files signed with the same flawed key used in the Magniber ransomware attacks.
QBot (also known as Qakbot) is a banking trojan for Windows that has morphed into a malware dropper that may capture emails for use in subsequent phishing attempts or distribute other payloads like Brute Ratel and Cobalt Strike.
New by me @Forbes: the latest Patch Tuesday security update is out, and includes a fix for another Mark of the Web zero-day, this one bypassing Windows SmartScreeen.#infosec #Windows10 #Windows11 #tech #news https://t.co/WhpbUz0rWO
— Davey Winder (@happygeek) December 14, 2022
As of today, it is believed that QBot collaborated with the Egregor, Prolock, and Black Basta ransomware operations to compromise their victims’ corporate networks.
🚨December 13, 2022, #MSFT #PatchTuesday “B”🏁
⚙️Get 🧰#CumulativeUpdate‘s for Windows 11 Version #22H2/#21H2 and for Windows 10 Version 1507, 1607, 1809, 20H2/21H1/21H2/22H2 as well as for Windows Server 2016/2019/2022 #LTSC on #MicrosoftUpdateCatalog🎅👉 https://t.co/nygRr3aUtb pic.twitter.com/Jo6pqEIVBq
— 🔮WZor👁️ (@WZorNET) December 13, 2022
On December 2022 Patch Tuesday, Microsoft addressed a zero-day vulnerability (CVE-2022-44710) that, if exploited, would grant attackers SYSTEM rights on unpatched Windows 11 machines.
Please keep visiting Techballad.com for updates. Keep our site bookmarked so you can easily return to check for new content Like Tesla Owners May Now Play Steam Games in Their Vehicles