Cyber espionage group used CVE-2018-8589 Windows Zero-Day in Middle East Attacks
15.11.2018 securityaffairs
CyberSpy  Vulnerebility

Kaspersky revealed that the CVE-2018-8589 Windows 0-day fixed by Microsoft Nov. 2018 Patch Tuesday has been exploited by at least one APT group in attacks in the Middle East.
Kaspersky Lab experts revealed that the CVE-2018-8589 Windows zero-day vulnerability addressed by Microsoft November 2018 Patch Tuesday has been exploited by an APT group in targeted attacks against entities in the Middle East.

Kaspersky reported the flaw to Microsoft on October 17, the security firm observed attacks against systems protected by its solution and attempting to exploit the zero-day flaw affecting the Win32k component in Windows.

The flaw could be exploited by an authenticated attacker to execute arbitrary code in the context of the local user, it ties the way Windows handles calls to Win32k.sys.

Kaspersky Lab described the CVE-2018-8589 flaw as a race condition in win32k!xxxMoveWindow that is caused by the improper locking of messages sent synchronously between threads.

CVE-2018-8589

The CVE-2018-8589 vulnerability only affects Windows 7 and Windows Server 2008.

Attackers exploited the flaw as the first stage of a malware installer aimed at a limited number of entities in the Middle East.

At the time of writing it is not unclear how the malware had been delivered by the threat actors.

“The exploit was executed by the first stage of a malware installer in order to gain the necessary privileges for persistence on the victim’s system. So far, we have detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.” reads the analysis published by Kaspersky.

Kaspersky did not explicitly attribute the attack to a specific threat actor but pointed out that the CVE-2018-8589 exploit code is being used by at least one cyber espionage APT group.

In October, Kaspersky also reported to Microsoft the CVE-2018-8453 flaw that had been exploited by the threat group known as FruityArmor in a highly targeted campaign.

the FruityArmor APT group is active at least since 2016 when targeted activists, researchers, and individuals related to government organizations.

In October, the cyber espionage group exploited a Windows zero-day flaw in attacks aimed at entities in the Middle East.

Researchers pointed out that both issues affect the Win32k component and both flaws were used in attacks aimed at users in the Middle East, but Kaspersky did not link the two attacks.