Windows Zero-Day Exploited in Attacks Aimed at Middle East
11.10.2018 securityweek
Vulnerebility

One of the vulnerabilities patched by Microsoft with its latest Patch Tuesday updates is a Windows zero-day exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.

The flaw, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. An authenticated attacker can exploit the vulnerability to take control of an affected system.

The vulnerability was reported to Microsoft by Kaspersky Lab after one of the security firm's systems detected an exploitation attempt. Kaspersky said it had reported the vulnerability to Microsoft on August 17 – it's unclear why Microsoft waited so long to release a fix.

According to Kaspersky, CVE-2018-8453 has been exploited by an APT group it tracks as FruityArmor. The exploit was executed by a malware installer for obtaining the privileges needed to gain persistence on the targeted system.

The security firm said FruityArmor created a high quality and reliable exploit that would work on as many versions of Windows as possible, including Windows 10.

Kaspersky has described the vulnerability as a use-after-free bug that is similar to CVE-2017-0263, a flaw patched by Microsoft back in May 2017 after it had been exploited by the Russia-linked threat actor known as APT28, Sofacy and Fancy Bear.

Hackers packaged the CVE-2018-8453 exploit in a malware installer that requires system privileges to deploy its payload. The payload has been described as a "sophisticated implant used by the attackers for persistent access to the victims' machines."

Kaspersky has seen the exploit being used against less than a dozen targets located in the Middle East.

"So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved," Kaspersky researchers explained.

The company determined that FruityArmor is likely behind these attacks after discovering a PowerShell backdoor that in the past was only used by this APT group. In addition, some of the command and control (C&C) domains used in the latest campaign were also involved in past FruityArmor operations.

A blog post published early on Wednesday by Kaspersky contains technical details on the vulnerability and how it has been exploited by FruityArmor.

This is not the first time Kaspersky has come across a zero-day vulnerability exploited by FruityArmor. The hackers also exploited a Windows zero-day back in 2016, which Microsoft patched in October 2016 after being alerted by Kaspersky. At the time, the victims were researchers, activists and government-related individuals in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.

"We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar," Kaspersky said.