Attackers target vulnerabilities in Microsoft's MSHTML and Whatsup Gold
The US IT security authority CISA warns of attacks on security vulnerabilities in Microsoft's MSHTML and Whatsup Gold.
The search returns spam, malware and scams.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Cyber criminals are attacking vulnerabilities in Progress Whatsup Gold and Microsoft's MSHTML. The US IT security authority CISA has issued a warning about this.
Two weeks ago, Progress released updated software that, among other things, closes critical vulnerabilities in the Whatsup Gold network monitoring software. An SQL injection attack allows unauthenticated attackers to obtain a user's encrypted passwords (CVE-2024-6670, CVSS 9.8, risk"critical"). Another vulnerability (CVE-2024-6671) has identical key data, but CISA now reports that attacks on the first-mentioned vulnerability have been observed.
Microsoft MSHTML vulnerability attacked
Attacks on an MSHTML platform spoofing vulnerability in Windows have also been discovered. Microsoft has updated the entry for the vulnerability, which was patched with a software patch on September Patchday (CVE-2024-43461, CVSS 8.8, risk"high"). The vulnerability affects all versions of Windows and also Internet Explorer components under Windows Server 2008, 2008R2, 2012 and 2012 R2, where the MSHTML component from the cumulative IE updates includes the bug fix. This vulnerability was attacked together with the vulnerability CVE-2024-38112, which has the same description and was patched in July with a patchday update. This has already prevented the attacks, but full protection is only guaranteed by both updates, Microsoft explains in the CVE entry.
Videos by heise
Neither CISA nor the manufacturers explain what the specific attacks look like and how those potentially affected can recognize them. However, it is known that the North Korean cyber gang Void Banshee has misused the MSHTML vulnerability to attack targets in Europe, Southeast Asia and North America. Their aim was information theft and financial gain. Trend Micro's Zero Day Initiative (ZDI) reports that the criminals installed an infostealer called Atlantida Stealer on attacked devices. The analysis also shows how the attackers were able to access Internet Explorer and the gaps in it through MSHTML, even though IE has been deactivated since 2022 – but not uninstalled, but components for rendering processes within a sandbox of the Edge browser are still on the system.
IT managers should quickly download and install the available updates. This will reduce the potential attack surface for malicious actors.
(dmk)
