On 13 February local time, Microsoft published information on CVE-2024-21412, a zero-day vulnerability in Windows.

The vulnerability was reported to Microsoft by Trend Micro’s zero-day vulnerability discovery community ZDI, and has already been confirmed to be exploited by a targeted attack group called Water Hydra (aka DarkCasino). In addition, the same type of vulnerability has been repeatedly exploited in attacks, and it is very likely that many cybercriminals will attack the vulnerability as soon as it is made public. It is therefore recommended that the fix be applied as soon as possible.

What is CVE-2024-21412? CVE-2024-21412 is a zero-day vulnerability in Windows. Internet shortcut files (.url) can be exploited by an attacker to infect arbitrary malware.

Scope of impact. All Windows devices that have not yet applied the fix published by Microsoft on 13 February 2024 are affected.

Has CVE-2024-21412 been exploited? In December 2023, CVE-2024-21412 was identified as being exploited by the targeted attack group Water Hydra (aka DarkCasino). We have observed that the attack group DarkGate has attempted to exploit this vulnerability since 25 January 2024.

Wat er Hydra (also known as DarkCasino)? It is a targeted attack group that has been active since around 2021, primarily targeting financial gain. We have observed fake email (spear-phishing) attack campaigns targeting specific organisations and persons against banks, crypto assets and forex trading platforms, gambling and casino websites.