Copy2Pwn Zero-Day Exploited to Bypass Windows Protections

Share This Post

Trend Micro’s Zero Day Initiative (ZDI) has detailed a recently patched zero-day vulnerability that cybercriminals have exploited to bypass Windows protections. 

The flaw, tracked as CVE-2024-38213 and named Copy2Pwn by ZDI, was fixed by Microsoft in June 2024, but it was only disclosed when the tech giant released the August 2024 Patch Tuesday updates. It was one of the six zero-days disclosed with this round of updates. 

ZDI’s threat hunting team discovered CVE-2024-38213 during its analysis into attacks conducted as part of a campaign named DarkGate by a threat group tracked as Water Hydra and DarkCasino. 

This threat actor had previously exploited a zero-day tracked as CVE-2024-21412 to bypass Windows protections in attacks aimed at financial market traders. 

According to Microsoft, the newly patched vulnerability, CVE-2024-38213, can be exploited to bypass Defender SmartScreen, which protects Windows users against phishing, malware and other potentially malicious files downloaded from the internet. 

The Copy2Pwn flaw is related to how files coming from WebDAV shares are handled during copy/paste operations. 

WebDAV, which stands for Web-based Distributed Authoring and Versioning, extends HTTP functionality, including with authoring, sharing and versioning. Users can host files on WebDAV shares that are accessible through a web browser or through Windows Explorer.

When a Windows user downloads a file from the web, that file gets assigned the Mark-of-the-Web (MotW), which triggers additional security checks before the file is opened, including Defender SmartScreen and Office Protected View. 

Advertisement. Scroll to continue reading.

Cybercriminals noticed that files copied and pasted from WebDAV shares did not get the MotW. 

“This meant that users might copy and paste files from a WebDAV share to their desktop, and those files could subsequently be opened without the protections of Windows Defender SmartScreen or Microsoft Office Protected View. In particular, this means that there would be no reputation or signature checks on executables,” ZDI explained.

Related: Zero-Click Exploit Concerns Drive Urgent Patching of Windows TCP/IP Flaw

Related: Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks

Related: APT Exploits Windows Zero-Day to Execute Code via Disabled Internet Explorer

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .