One of the vulnerabilities patched by Microsoft with its latest Patch Tuesday updates is a Windows zero-day exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.
The flaw, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. An authenticated attacker can exploit the vulnerability to take control of an affected system.
The vulnerability was reported to Microsoft by Kaspersky Lab after one of the security firm’s systems detected an exploitation attempt. Kaspersky said it had reported the vulnerability to Microsoft on August 17 – it’s unclear why Microsoft waited so long to release a fix.
According to Kaspersky, CVE-2018-8453 has been exploited by an APT group it tracks as FruityArmor. The exploit was executed by a malware installer for obtaining the privileges needed to gain persistence on the targeted system.
The security firm said FruityArmor created a high quality and reliable exploit that would work on as many versions of Windows as possible, including Windows 10.
Kaspersky has described the vulnerability as a use-after-free bug that is similar to CVE-2017-0263, a flaw patched by Microsoft back in May 2017 after it had been exploited by the Russia-linked threat actor known as APT28, Sofacy and Fancy Bear.
Hackers packaged the CVE-2018-8453 exploit in a malware installer that requires system privileges to deploy its payload. The payload has been described as a “sophisticated implant used by the attackers for persistent access to the victims’ machines.”
Kaspersky has seen the exploit being used against less than a dozen targets located in the Middle East.
“So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved,” Kaspersky researchers explained.
The company determined that FruityArmor is likely behind these attacks after discovering a PowerShell backdoor that in the past was only used by this APT group. In addition, some of the command and control (C&C) domains used in the latest campaign were also involved in past FruityArmor operations.
A blog post published early on Wednesday by Kaspersky contains technical details on the vulnerability and how it has been exploited by FruityArmor.
This is not the first time Kaspersky has come across a zero-day vulnerability exploited by FruityArmor. The hackers also exploited a Windows zero-day back in 2016, which Microsoft patched in October 2016 after being alerted by Kaspersky. At the time, the victims were researchers, activists and government-related individuals in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.
“We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar,” Kaspersky said.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
- FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
