⚠️ THREAT ALERT: One Click, Total Shutdown: The "Patient Zero" Webinar on Killing Stealth Breaches
The briefing uncovered that the “Patient Zero” webinar demonstrated a novel “one‑click” command‑and‑control (C2) payload delivery chain that leverages a previously undocumented Microsoft Outlook “Add‑in” abuse combined with CVE‑2024‑21707 (Remote Code Execution in Outlook’s attachment previewer) and CVE‑2024‑21531 (Privilege‑Escalation via Windows Kernel Callback). The attacker first injects a signed Office Add‑in manifest into the user’s APPDATA\Microsoft\Addins directory through a malicious PowerShell script delivered via a compromised SharePoint link. The manifest points to a DLL that is signed with a stolen code‑signing certificate, allowing it to bypass Windows Defender Application Control. When the user opens any Outlook item, the Add‑in executes a zero‑day exploit in the previewer component, spawning a SYSTEM‑level process that fetches a second stage from a hard‑coded C2 domain over HTTPS. The second stage is a memory‑only loader that disables security telemetry, injects a “kill‑switch” routine into lsass.exe, and initiates a coordinated shutdown sequence across the domain by issuing a privileged Netlogon replication request (leveraging CVE‑2024‑21287) to all domain controllers, effectively forcing a total network outage within seconds.
Threat actors exploit the fact that the malicious Add‑in can be silently registered via the Outlook COM Add‑in registry key (HKCU\Software\Microsoft\Office\Outlook\Addins) without user interaction, provided the victim has macro execution enabled in Office or has previously installed a compromised template. The attack’s reliance on a stolen code‑signing certificate circumvents the Windows SmartScreen and AppLocker rules, and the use of the Outlook previewer RCE chain eliminates the need for user‑initiated macro execution. The final shutdown payload uses a combination of netsh advfirewall reset and a crafted DCSync request that corrupts the KRBTGT account password hash, causing Kerberos authentication to fail across the forest. This multi‑stage approach reduces detection surface area and enables a “single‑click” activation: the victim merely opens a legitimate‑looking meeting invite that automatically loads the malicious Add‑in, triggering the full kill chain.
Mitigation must be layered: first, enforce strict Outlook Add‑in governance by disabling COM Add‑ins via Group Policy (Policy = User Configuration → Administrative Templates → Microsoft Outlook → Prevent installation of Add‑ins) and whitelist only signed, vetted add‑ins. Immediately apply Microsoft Security Advisory patches for CVE‑2024‑21707 and CVE‑2024‑21531, and deploy the out‑of‑band kernel patch for CVE‑2024‑21287. Enforce code‑signing certificate revocation checking and implement Windows Defender Application Control (WDAC) policies to block unsigned or untrusted DLLs, even if signed with a compromised certificate. Deploy Credential Guard and restrict privileged replication privileges by removing “Replicating Directory Changes” from non‑admin accounts. Finally, increase NetLogon signing enforcement (Require signing = “Always”), monitor for abnormal Netlogon traffic, and integrate EDR analytics to detect rapid LSASS injection and firewall resets indicative of the shutdown routine. Continuous audit of APPDATA Add‑in directories and regular integrity checks of domain controller replication metadata will help detect early indicators of compromise.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments