SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Trend Micro uncovers Water Hydra's Windows Defender exploit
Thu, 15th Feb 2024

Global cybersecurity expert Trend Micro revealed a critical vulnerability in Microsoft Windows Defender. The active zero-day vulnerability, discovered on New Year's Eve, 2023, is being exploited by the cyber threat group Water Hydra and is a significant concern for millions of users worldwide.

Trend discovered this vulnerability (CVE-2024-21412) and automatically protected its customers from January 1, 2024. Organisations are strongly advised to take immediate action in response to the ongoing active exploitation of this vulnerability by cyber criminals.

Mark Houpt, CISO at Databank, highlighted Trend's importance in their cybersecurity strategy: "We have experienced first-hand the advantages of being under the protective umbrella of Trend Micro. Their unparalleled threat intelligence allows us to be proactively shielded against emerging threats."

"By implementing their virtual patches, we've managed to stay ahead of potential exploit attempts, securing our systems and allowing our customers to have confidence that their systems are secured long before official patches become available," said Mark Houpt. 

Trend Micro consistently protects its customers by issuing virtual patches an average of 51 days before patches are released by vendors, including this zero-day for Microsoft. In comparison, other vendors typically protect their customers after an average time of 96 days. Trend estimates that customers who applied all virtual patches in 2023 saved an average of AUD $1 million for their enterprise.

Mick McCluney, Technical Director ANZ at Trend, further emphasised the criticality of zero-day vulnerabilities, noting, "Zero-day vulnerabilities are an increasingly popular way for threat actors to achieve their goals. This is one reason we invest so deeply in threat intelligence, so we can keep our customers protected months before official vendor patches are released."

The crucial risk lies in the potential exploitation of these vulnerabilities by bad actors. The one currently being exploited by Water Hydra is designed to infect victims with the DarkMe remote access trojan (RAT) for potential data theft and ransomware, particularly compromising foreign exchange traders participating in the high-stakes currency trading market.

Trend's proactive approach to risk management leans into the robust intrusion prevention system (IPS) capabilities that deliver virtual patching by completely blocking the exploitation of CVE-2024-21412. This reduces the need for last-minute reactive measures and ensures customers are well-prepared to mitigate risks with confidence.

In contrast, organisations relying solely on conventional endpoint detection and response (EDR) approach risk exposure to threats, particularly if attackers leverage advanced techniques to evade detection.

Furthermore, Trend's Zero Day Initiative (ZDI), the world's most extensive vendor-agnostic bug bounty programme, offers invaluable intelligence for their virtual patching. This program has become increasingly critical, given two key trends: zero-day vulnerabilities discovered by cybercrime groups are increasingly employed in attack chains by nation-state groups, and these groups can easily identify and bypass narrow vendor patches.