CISA Warns of Actively Exploited Windows, Adobe Acrobat Vulnerabilities

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new, actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch them by April 16, 2024. The first, tracked as CVE-2024-21412, is a security bypass flaw in the Microsoft Windows SmartScreen feature. The second, CVE-2024-20662, is a critical remote code execution vulnerability in Adobe Acrobat Reader DC. Both are confirmed to be under active attack, though the specific threat actors and campaigns leveraging them remain undisclosed by CISA.

Technical Analysis

CVE-2024-21412 is an internet shortcut file security feature bypass vulnerability in Microsoft Windows SmartScreen. According to Microsoft's advisory, an attacker could craft a malicious file to bypass the SmartScreen user experience, which is designed to warn users before opening unrecognized or potentially dangerous files from the internet. Successful exploitation could allow an attacker to deliver malware without the typical security warnings, effectively tricking users into executing malicious code. Microsoft patched this vulnerability in its February 2024 Patch Tuesday updates, rating it as important with a CVSS score of 8.1.

CVE-2024-20662 is an out-of-bounds write vulnerability in Adobe Acrobat Reader DC versions 2023.008.20470 and earlier, as well as 2020.008.20513 and earlier. Adobe's advisory states that exploitation could lead to arbitrary code execution in the context of the current user. An attacker would need to convince a user to open a specially crafted PDF file, which could then trigger the vulnerability. Adobe patched this flaw in January 2024, assessing it as critical with a priority rating of 2. The vulnerability has a CVSS base score of 7.8.

Tactics, Techniques & Procedures

Based on the nature of the vulnerabilities, the likely exploitation chain involves initial access techniques. For CVE-2024-21412, an attacker would likely use Phishing (T1566) to deliver a malicious internet shortcut file. The exploitation would constitute a User Execution: Malicious File (T1204.002) technique, with the flaw enabling a bypass of the Indicator Removal: File Deletion (T1070.004) sub-technique as it circumvents a security warning. For CVE-2024-20662, exploitation also aligns with User Execution: Malicious File (T1204.002), delivered via phishing or compromised websites, leading to Exploitation for Client Execution (T1203). The ultimate goal in both cases is likely to establish initial footholds for follow-on actions like data theft or ransomware deployment.

Threat Actor Context

The specific threat actors exploiting these vulnerabilities are not named in the CISA bulletin or source material. The fact that CISA has confirmed active exploitation and mandated patching for federal agencies indicates that these flaws are being used in real-world attacks. Such vulnerabilities are valuable commodities for a wide range of adversaries, including state-sponsored advanced persistent threat (APT) groups, cybercriminal ransomware operators, and initial access brokers. The lack of public attribution suggests the exploits may be used in limited, targeted campaigns or are part of broader, less-discussed criminal toolkits.

Mitigations & Recommendations

The primary and most critical mitigation is immediate patching. Federal agencies are bound by CISA's Binding Operational Directive (BOD) 22-01 to apply patches for these CVEs by April 16, 2024. All organizations should prioritize this action:

• Apply the Microsoft security updates from February 2024 to address CVE-2024-21412.
• Update Adobe Acrobat Reader DC to version 2024.001.20615 or later to address CVE-2024-20662.

Additional defensive measures include:

• Implementing application allowlisting to prevent execution of unapproved software, including malicious PDF readers or scripts.
• Enforcing network segmentation and robust endpoint detection and response (EDR) to limit lateral movement and detect post-exploitation activity.
• Conducting user awareness training focused on recognizing phishing attempts and the dangers of opening files from unknown sources, even if no immediate security warning appears.
• Blocking internet shortcut (.url) files at the email gateway if they are not required for business operations.