Microsoft Patches Another Actively Exploited Zero-Day Vulnerability

Microsoft released security updates for its products Dec. 11, fixing 38 vulnerabilities including a privilege escalation flaw in the Windows kernel that has been exploited by cyberespionage groups since October.

The zero-day vulnerability, tracked as CVE-2018-8611, was reported to Microsoft by researchers from Kaspersky Lab who saw it being used in attacks by at least two APT groups called FruityArmor and SandCat.

Cloud Native Now

The vulnerability is located in the Windows Kernel Transaction Manager and can be exploited by attackers who already have access to a limited account, to take full control of the system. Privilege escalation flaws are highly valuable for attackers, especially in corporate environments where users run with limited privileges.

Microsoft patched two other such flaws in November and October that were also being exploited by FruityArmor and other APT groups. However, compared to those flaws, the new one is even more dangerous because it can allow attackers to build exploit chains that bypass browser sandboxes.

“This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox,” the Kaspersky Lab researchers said in a blog post. “Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.”

FruityArmor is an APT group that has been active since at least 2016. Its toolset is built around PowerShell and its activity focuses on the Middle East. The group has been seen using multiple zero-day vulnerabilities over the years, which suggests a high degree of sophistication.

Meanwhile, SandCat is a relatively new APT group that uses FinFisher/FinSpy, a commercial surveillance framework sold to governments and law enforcement agencies. The group also uses CHAINSHOT, a sophisticated multi-stage malware platform documented by researchers from Palo Alto Networks in September.

Microsoft rates CVE-2018-8611 as important, but the company also patched 9 critical vulnerabilities this month: six in the Chakra Scripting Engine used in Microsoft Edge and one each in Internet Explorer, .NET Framework, Windows DNS Server and Microsoft Text-To-Speech.

“Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser,” Animesh Jain of security firm Qualys said in a blog post. “This includes multi-user servers that are used as remote desktops for users.”

Cyberespionage Campaign Targets Defense and Critical Infrastructure Firms

Security researchers have uncovered a cyberespionage campaign that targets nuclear, defense, energy and financial companies from around the world and deploys a new malware implant.

The campaign, dubbed Operation Sharpshooter by researchers from McAfee, masquerades as a job recruitment campaign and managed to infect 87 companies throughout November and December. A large number of victims are from the United States.

The phishing campaign directs users to malicious Word documents hosted on Dropbox and remote servers. These documents use embedded macros to drop an in-memory implant dubbed Rising Sun.

The payload seems to be used primarily for reconnaissance, as it gathers system, network and hardware information and sends it back to a command-and-control server in encrypted form. However, it is also capable of downloading and installing additional second-stage payloads, likely on computers that attackers consider interesting.

Rising Sun uses source code from a 2015 backdoor Trojan called Duuzer that has been associated in the past with the Lazarus Group, an APT group believed to have ties to the North Korean government. However, the McAfee researchers are not ready to attribute the attack to Lazarus.

“Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags,” they said.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

Cloud Capabilities Poll