Microsoft Releases December Security Updates

Microsoft Releases December Security Updates: Microsoft has patched a security hole that malicious actors used to bypass Windows SmartScreen and spread the Magniber ransomware and Qbot malware.

In order to circumvent Windows’ Mark-of-the-Web security warnings, which warn users that files from the Internet should be viewed with caution, the attackers used malicious standalone JavaScript files to exploit the CVE-2022-44698 zero-day.

Security features like Protected View in Microsoft Office rely on MOTW tagging, but an attacker “may construct a malicious file that would circumvent Mark of the Web (MOTW) safeguards,” Redmond said on Tuesday.

Microsoft claims that there are just three ways in which this security hole might be exploited:

  • In a web-based attack scenario, an attacker could host a malicious website that exploits the security feature bypass.
  • In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file to exploit the bypass.
  • Compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass.

All of these exploits for CVE-2022-44698 require, however, that the target be tricked into opening malicious files or visiting attacker-controlled websites. According to an announcement made by Microsoft to BleepingComputer in late October.

The firm has been working on a remedy for this actively exploited zero-day vulnerability ever since. The business delivered security upgrades to address this zero-day during the December 2022 Patch Tuesday.

Microsoft Releases December Security Updates
Microsoft Releases December Security Updates

Exploited in malware attacks

When senior vulnerability analyst at ANALYGENCE, Will Dormann, noticed that the Magniber ransomware was being spread via phishing assaults employing standalone. JS JavaScript files digitally signed with a flawed, he notified HP’s threat intelligence team.

Because of this, Magniber ransomware would be installed without any security warnings from SmartCheck, despite being marked as a Member of the Week.

As we reported last month, the same Windows zero-day vulnerability was used in phishing attacks to distribute the Qbot malware without triggering MOTW security alerts.

ProxyLife, a security firm, discovered that the bad actors behind the current QBot phishing campaign shifted to exploiting a zero-day in Windows by distributing JS files signed with the same flawed key used in the Magniber ransomware attacks.

QBot (also known as Qakbot) is a banking trojan for Windows that has morphed into a malware dropper that may capture emails for use in subsequent phishing attempts or distribute other payloads like Brute Ratel and Cobalt Strike.

As of today, it is believed that QBot collaborated with the Egregor, Prolock, and Black Basta ransomware operations to compromise their victims’ corporate networks.

On December 2022 Patch Tuesday, Microsoft addressed a zero-day vulnerability (CVE-2022-44710) that, if exploited, would grant attackers SYSTEM rights on unpatched Windows 11 machines.

Please keep visiting for updates. Keep our site bookmarked so you can easily return to check for new content Like Tesla Owners May Now Play Steam Games in Their Vehicles