One of the zero-day flaws (CVE-2019-0797) patched this week by Microsoft has been exploited in targeted attacks by several threats groups, including FruityArmor and SandCat APT groups.
This week, Microsoft released Patch Tuesday security updates for March 2019 that address 64 flaws, including two Windows zero-day vulnerabilities exploited in targeted attacks.
One of the flaws, tracked as CVE-2019-0808, was disclosed by Google’s Threat Analysis Group after it has observed targeted attacks exploiting the issue alongside a recently addressed flaw in Chrome flaw (CVE-2019-5786).
The second zero-day, tracked as CVE-2019-0797, was reported to Microsoft by experts at Kaspersky Lab, which states the issue has been exploited by several threat actors, including FruityArmor and SandCat APT groups.
FruityArmor is a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations in Thailand, Iran, Algeria, Yemen, Saudi Arabia, and Sweden. Experts believe FruityArmor´s activity has been slowly increasing during the last two years, the group
In October 2018, FruityArmor exploited another Windows zero-day in targeted attacks aimed at entities in the Middle East.
The SandCat APT was discovered by Kaspersky Lab at the end of 2018 when the group used a flaw (CVE-2018-8611) addressed with security updates released by Microsoft in December.
The CVE-2018-8611 is a race condition that resides in the Kernel Transaction Manager, and most interesting, it could be used to escape the sandbox of the Chrome and Edge web browsers.
The vulnerability was reported to Microsoft by Kaspersky Lab that in two months reported other two Windows zero-days, CVE-2018-8453 and CVE-2018-8589, respectively exploited by FruityArmor and multiple threat actors in attacks mostly aimed at the Middle East.
“we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently.” reads the analysis published by Kaspersky Lab.
“In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.”
At the time of writing, Kaspersky Lab does not have any information about the targets of the attacks involving the CVE-2019-0797.
The CVE-2019-0797 vulnerability is the fourth zero-day vulnerability actively exploited in recent months by Kaspersky.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.