2 min read

Microsoft has another go at closing security hole exploited by Magniber ransomware


March 15, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Microsoft has another go at closing security hole exploited by Magniber ransomware

In its latest Patch Tuesday bundle of security fixes, Microsoft has patched a security flaw that was being used by the Magniber cybercrime gang to help them infect computers with ransomware.

On Tuesday, Google's Threat Analysis Group (TAG) shared its investigation into how the financially-motivated hackers had been exploiting a zero-day vulnerability to bypass checks by Microsoft's SmartScreen security feature.

Google's experts had discovered that cybercriminals could sign their malicious MSI files with an invalid but specially-crafted Authenticode signature that could cause the untrusted files downloaded from the internet not to trigger a security warning dialog.

According to the TAG team, over 100,000 of the malicious MSI files have been seen being downloaded since January 2023.  Microsoft was informed of the problem on February 15 2023, and its Patch Tuesday fix for the vulnerability (named CVE-2023-24880) was released this week.

What's somewhat embarrassing for Microsoft, is that a related flaw in Windows SmartScreen was spotted by a security researcher last August, which Microsoft duly patched in December 2022 as CVE-2022-44698.

That flaw had also been used to spread the Magniber ransomware, and also used by a different group of cybercriminals to distribute the Qakbot malware.

What has now become clear is that within just one month, there was evidence that cybercriminals had found a way to waltz past Microsoft's patch and exploit the security holes in SmartScreen.

In its blog post, Google explained that if software developers wrote patches that were too specific, there was a danger they wouldn't fix the underlying problem in their code:

...vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants. When patching a security issue, there is tension between a localized, reliable fix, and a potentially harder fix of the underlying root cause issue. Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug.

Hopefully the patch will prove sufficient this time to prevent the Magniber ransomware gang and other cybercriminals from exploiting the flaw in SmartScreen to assist their attacks.  As ever, our recommendation for individuals and companies is to keep their systems updated with the latest security patches and follow safe computing practices.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like