Kaspersky revealed that the CVE-2018-8589 Windows 0-day fixed by Microsoft Nov. 2018 Patch Tuesday has been exploited by at least one APT group in attacks in the Middle East.
Kaspersky Lab experts revealed that the CVE-2018-8589 Windows zero-day vulnerability addressed by Microsoft November 2018 Patch Tuesday has been exploited by an APT group in targeted attacks against entities in the Middle East.
Kaspersky reported the flaw to Microsoft on October 17, the security firm observed attacks against systems protected by its solution and attempting to exploit the zero-day flaw affecting the Win32k component in Windows.
The flaw could be exploited by an authenticated attacker to execute arbitrary code in the context of the local user, it ties the way Windows handles calls to Win32k.sys.
Kaspersky Lab described the CVE-2018-8589 flaw as a race condition in win32k!xxxMoveWindow that is caused by the improper locking of messages sent synchronously between threads.
The CVE-2018-8589 vulnerability only affects Windows 7 and Windows Server 2008.
Attackers exploited the flaw as the first stage of a malware installer aimed at a limited number of entities in the Middle East.
At the time of writing it is not unclear how the malware had been delivered by the threat actors.
“The exploit was executed by the first stage of a malware installer in order to gain the necessary privileges for persistence on the victim’s system. So far, we have detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.” reads the analysis published by Kaspersky.
Kaspersky did not explicitly attribute the attack to a specific threat actor but pointed out that the CVE-2018-8589 exploit code is being used by at least one cyber espionage APT group.
In October, Kaspersky also reported to Microsoft the CVE-2018-8453 flaw that had been exploited by the threat group known as FruityArmor in a highly targeted campaign.
the FruityArmor APT group is active at least since 2016 when targeted activists, researchers, and individuals related to government organizations.
In October, the cyber espionage group exploited a Windows zero-day flaw in attacks aimed at entities in the Middle East.
Researchers pointed out that both issues affect the Win32k component and both flaws were used in attacks aimed at users in the Middle East, but Kaspersky did not link the two attacks.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.