Windows vulnerability CVE-2024-21412: Attacks by the APT group Water Hydra

Windows[German]On 13 February 2024, the Internet Shortcut Files Security Feature Bypass vulnerability CVE-2024-21412 became known. This vulnerability can be used to bypass the SmartScreen in Windows and other products. Microsoft has provided corresponding patches for the supported Windows versions with the February 2024 security updates to fix this vulnerability. Trend Micro now reports that the APT group Water Hydra is exploiting this Internet Shortcut Files Security Feature Bypass vulnerability CVE-2024-21412 for attacks.


Vulnerability CVE-2024-21412

I had already mentioned the vulnerability in the blog post Microsoft Security Update Summary (February 13, 2024). CVE-2024-21412 is an Internet Shortcut Files Security Feature Bypass vulnerability that has been classified as important with a CVEv3 score of 8.1. The vulnerability allows bypassing the security feature (the SmartScreen filter) in Internet shortcut files.

To exploit this vulnerability, an attacker must convince the target (e.g. using social engineering) to open a malicious Internet shortcut file designed to bypass the security checks displayed. The user must therefore actively click on a file link for the attack to work. Microsoft has not disclosed details of the vulnerability, but has released security updates to close the vulnerability by 13 February 2024:

  • Update KB5034768: Windows 10 Enterprise 2019 LTSC /Windows Server 2019
  • Update KB5034763: Windows 10 Version 21H1 – 22H2
  • Update KB5034769: Windows Server Version 23H2
  • Update KB5034770: Windows Server 2022
  • Update KB5034765: Windows 11 23H2-22H2
  • Update KB5034766: Windows 11 21H2

After installing the security updates, the vulnerability CVE-2024-21412 should be fixed. The vulnerability bypasses the "SmartScreen", a security feature of all newer Windows installations, which was first introduced by Microsoft with Windows 8. Among other things, this feature introduced a "Mark of the Web (MotW)" flag to identify a file downloaded from the Internet as a potentially dangerous download. The file is then checked by SmartScreen before processing.

Water Hydra targets CVE-2024-21412

Trend Micro notes in an information that the vulnerability CVE-2024-21412 is already being actively exploited by some threat actors. It can be assumed that in three to four weeks) all well-known cyber attackers will most likely attempt to exploit these vulnerabilities.

It looks like the APT group Water Hydra has already exploited the 0-day vulnerability. The APT group Water Hydra is also known as DarkCasino. It first gained attention in 2021 through a series of campaigns targeting the financial sector. It used social engineering in financial trading forums to lure victims. The threat actor carried out targeted attacks on banks, cryptocurrency platforms, forex and stock trading platforms and gambling sites around the world.


The exploitation of the vulnerability is a real 0-day, i.e. a vulnerability that was first found by attackers and for which there was no protection from the manufacturer until Patch Tuesday. It affects all Microsoft Windows products that use this feature. A user is tricked into believing that they are calling up an image. To avoid arousing suspicion, one is actually displayed. However, malicious code is downloaded in the background, infecting the victim's computer. Trend Micro reported the observation to the manufacturer in accordance with the "Responsible Disclosure" Codex, who then developed the patch released in February 2024.

As part of the ongoing threat hunt, Trend Micro discovered that a second group is exploiting the vulnerability. This shows that in many cases it can be difficult to determine how widespread a zero-day vulnerability is being used by threat actors, as it is unknown to the vendor and the general public. Trend Micro has published the blog post SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes on this topic with more details. An article on the Water Hydra attacks can be found in the blog post CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day.

Similar articles:
Microsoft Security Update Summary (February 13, 2024)
Patchday: Windows 10 Updates (February 13, 2024)
Patchday: Windows 11/Server 2022 Updates (February 13, 2024)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (February 13, 2024)

Exchange Server Cumulative Update CU 14 (February 13, 2024)
Warning about critical Outlook RCE vulnerability CVE-2024-21413

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *