Throughout history, the concept of defeating an opponent’s defenses has been central to warfare strategies. From ancient sieges using tunnels and siege engines to modern tactics aimed at neutralizing air defenses before launching a major offensive, the principle remains the same: breach the defenses to open a path for attack. This strategy is just as relevant in the realm of cybersecurity, where attackers aim to compromise security systems themselves, turning protective mechanisms into pathways for initial access, lateral movement or defense evasion.
In cybersecurity, targeting security tools—especially those designed to protect networks and endpoints—is an increasingly used tactic. By exploiting flaws within these security controls, attackers can transform them into conduits for further attacks. Such a tactic offers significant advantages, including bypassing authentication processes, evading detection by security monitors, and escalating privileges to conduct reconnaissance or move laterally within a network. Furthermore, security mechanisms often operate with elevated privileges and broad network access, making them attractive targets.
Over-reliance on certain security products might also allow attackers to extend their reach across various organizations. For example, the recent failure of CrowdStrike’s endpoint detection and response (EDR) tool, which caused widespread global outages, highlights the risks associated with depending too heavily on a single security solution. Although this incident wasn’t the result of a cyber attack, it clearly demonstrates the potential issues that can arise from such reliance.
For years, the cybersecurity community has been aware of the risks posed by vulnerabilities in security products. A notable example from 2015 involved a critical flaw in FireEye’s email protection system, which allowed attackers to execute arbitrary commands and potentially take full control of the device. More recently, a vulnerability in Proofpoint’s email security service was exploited in a phishing campaign that impersonated major corporations like IBM and Disney.
Windows SmartScreen is designed to shield users from malicious software, phishing attacks, and other online threats. Initially launched with Internet Explorer, SmartScreen has been a core part of Windows since version 8. It works by analyzing downloaded files and websites and comparing them against a constantly updated database of known threats. If a file or website appears suspicious, SmartScreen issues a warning before the user proceeds. This protection relies on URL filtering, application reputation, and cloud-based heuristics.
SmartScreen is officially a Microsoft Defender feature and configurable at scale through Microsoft Defender for Endpoint Manager. However, SmartScreen’s integration with the Microsoft Edge browser and other Windows components means it remains active even if Microsoft Defender is not the primary antivirus solution. However, since mid-2023, several vulnerabilities in SmartScreen have been exploited, undermining its ability to prevent attacks.
Since March 2023, at least seven SmartScreen vulnerabilities have been used in various attacks. These flaws have enabled attackers to bypass SmartScreen warnings, tricking users into downloading malicious files. These files have been used for a range of harmful activities, from establishing communication channels with attackers to cryptocurrency mining, information theft, and integrating systems into botnets.
Photo Credit: Zafran
For instance, in March 2023, a vulnerability (CVE-2023-24880) was exploited by the Qakbot malware. This vulnerability, related to an earlier flaw (CVE-2022-44698), was initially used by the Magniber ransomware to target South Korea. The attack involved a specially crafted JavaScript file that bypassed SmartScreen’s warning system. In July 2023, Microsoft patched another SmartScreen vulnerability (CVE-2023-32049) that was being exploited as a zero-day to bypass specific security features.
In November 2023, a critical vulnerability (CVE-2023-36025) was discovered, which had been exploited by both the emerging cybercrime group BattleRoyal and the APT group TA544, known for targeting organizations in Europe and Japan. These attackers hosted malicious URLs on legitimate cloud services, causing Windows to mistakenly identify them as safe. When users clicked on these links, SmartScreen failed to issue warnings, allowing the attackers to deliver a disguised ZIP file containing the Phemedrone malware, a sophisticated information-stealing tool.
By January 2024, another SmartScreen vulnerability (CVE-2024-21412) was exploited in a phishing campaign aimed at trading platforms, orchestrated by the Russian group Water Hydra. The situation escalated in March 2024 when the DarkGate malware, known for bypassing Kaspersky antivirus, widely exploited this vulnerability. Additional vulnerabilities, such as CVE-2024-21351 and CVE-2024-29988, have also been observed in the wild, further demonstrating the ongoing threat to Windows Defender’s SmartScreen.
The ongoing exploitation of Windows SmartScreen vulnerabilities underscores a critical lesson: even the most trusted security controls can be compromised, turning protective measures into potential risks. This situation highlights the importance of continuous vigilance and prompt action to mitigate emerging threats.
To prevent such incidents, organizations should prioritize the detection and investigation of existing SmartScreen vulnerabilities to accurately assess their risk exposure. By thoroughly analyzing the tactics and techniques recently employed by threat actors, they can evaluate the effectiveness of their current security measures across all controls. Most importantly, an automated, comprehensive risk assessment that covers vulnerabilities, threat groups, and controls will empower organizations to strengthen their defenses swiftly and effectively at scale.
About the Author
Yonatan Keller leads the Analyst team for Zafran Security, an innovative threat exposure management company that integrates enterprise security tools to reveal, remediate, and mitigate the risk of exposures across entire infrastructures. Yonatan spent over two decades in the elite IDF intelligence corps and Cyber Defense Directorate, in which he managed a Cyber Threat Intelligence department.
