Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Windows Zero-Day Exploited in Attacks Aimed at Middle East

One of the vulnerabilities patched by Microsoft with its latest Patch Tuesday updates is a Windows zero-day exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.

One of the vulnerabilities patched by Microsoft with its latest Patch Tuesday updates is a Windows zero-day exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.

The flaw, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. An authenticated attacker can exploit the vulnerability to take control of an affected system.

The vulnerability was reported to Microsoft by Kaspersky Lab after one of the security firm’s systems detected an exploitation attempt. Kaspersky said it had reported the vulnerability to Microsoft on August 17 – it’s unclear why Microsoft waited so long to release a fix.

According to Kaspersky, CVE-2018-8453 has been exploited by an APT group it tracks as FruityArmor. The exploit was executed by a malware installer for obtaining the privileges needed to gain persistence on the targeted system.

The security firm said FruityArmor created a high quality and reliable exploit that would work on as many versions of Windows as possible, including Windows 10.

Kaspersky has described the vulnerability as a use-after-free bug that is similar to CVE-2017-0263, a flaw patched by Microsoft back in May 2017 after it had been exploited by the Russia-linked threat actor known as APT28, Sofacy and Fancy Bear.

Hackers packaged the CVE-2018-8453 exploit in a malware installer that requires system privileges to deploy its payload. The payload has been described as a “sophisticated implant used by the attackers for persistent access to the victims’ machines.”

Kaspersky has seen the exploit being used against less than a dozen targets located in the Middle East.

“So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved,” Kaspersky researchers explained.

The company determined that FruityArmor is likely behind these attacks after discovering a PowerShell backdoor that in the past was only used by this APT group. In addition, some of the command and control (C&C) domains used in the latest campaign were also involved in past FruityArmor operations.

A blog post published early on Wednesday by Kaspersky contains technical details on the vulnerability and how it has been exploited by FruityArmor.

This is not the first time Kaspersky has come across a zero-day vulnerability exploited by FruityArmor. The hackers also exploited a Windows zero-day back in 2016, which Microsoft patched in October 2016 after being alerted by Kaspersky. At the time, the victims were researchers, activists and government-related individuals in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.

“We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar,” Kaspersky said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.