Kaspersky Lab experts revealed that the CVE-2018-8589 Windows zero-day vulnerability addressed by Microsoft November 2018 Patch Tuesday has been exploited by an APT group in targeted attacks against entities in the Middle East.
Kaspersky reported the flaw to Microsoft on October 17, the security firm observed attacks against systems protected by its solution and attempting to exploit the zero-day flaw affecting the Win32k component in Windows.
The flaw could be exploited by an authenticated attacker to execute arbitrary code in the context of the local user, it ties the way Windows handles calls to Win32k.sys.
Kaspersky Lab described the CVE-2018-8589 flaw as a race condition in win32k!xxxMoveWindow that is caused by the improper locking of messages sent synchronously between threads.
The CVE-2018-8589 vulnerability only affects Windows 7 and Windows Server 2008.
Attackers exploited the flaw as the first stage of a malware installer aimed at a limited number of entities in the Middle East.
At the time of writing it is not unclear how the malware had been delivered by the threat actors.
“The exploit was executed by the first stage of a malware installer in order to gain the necessary privileges for persistence on the victim’s system. So far, we have detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.” reads the analysis published by Kaspersky.
Kaspersky did not explicitly attribute the attack to a specific threat actor but pointed out that the CVE-2018-8589 exploit code is being used by at least one cyber espionage APT group.
the FruityArmor APT group is active at least since 2016 when targeted activists, researchers, and individuals related to government organizations.
In October, the cyber espionage group exploited a Windows zero-day flaw in attacks aimed at entities in the Middle East.
Researchers pointed out that both issues affect the Win32k component and both flaws were used in attacks aimed at users in the Middle East, but Kaspersky did not link the two attacks.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.