16 October 2018

I learned about CVE-2018-8453 from Kaspersky Lab’s Secure List [1] last Wednesday during a bicycle tour to the Baltic Sea.

Lake Steinhude, Lower Saxony

Elevation of Privilege vulnerabilities like CVE-2018-8453 should be taken seriously because an attacker can fully compromise a system if an exploit is available.

Since the vulnerability had status Awaiting Analysis [2] in the NVD I checked the Microsoft Security Response Center for more details [3]. The CVSS 3.0 vector string AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C and the CVSS 3.0 base score 7.0 made clear: There is no reason for panic.

But what puzzled me was that many sources [4][5] reported that the vulnerability was already exploited in the wild. Back home, I found that almost all sources referred to the Kaspersky Lab report [1].

In section Attribution of the Kaspersky Lab report we learn:

“During our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this new set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that FruityArmor is responsible for the attacks leveraging CVE-2018-8453.”

That is really baffling. The attackers already compromised the affected systems through a PowerShell backdoor. With this it is easy to exploit CVE-2018-8453.

The question remains why the attackers use CVE-2018-8453 instead of one of the auto-elevation programs included in the Windows operating system.

From section Victims of the Kaspersky Lab report one learns:

“The distribution of the attack seems to be highly targeted, affecting less than a dozen victims in the Middle East region, according to our telemetry.”

Now this makes pretty sense. In the case of highly targeted attacks we can assume, that the affected clients are well hardened. In such cases, when e.g. User account control is set to Always notify me, the standard method to get elevated privileges by manipulating the auto-elevation programs does not work.

The big questions are: How many APT (nation-state actors) are aware of this vulnerability? And since when?

Have a great week.

1. SecureList. Zero-day exploit (CVE-2018-8453) used in targeted attacks [Internet]. Securelist – Kaspersky Lab’s cyberthreat research and reports. 2018 [cited 2018 Oct 15]. Available from: https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/
2. MITRE. NVD – CVE-2018-8453 [Internet]. 2018 [cited 2018 Oct 15]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-8453
3. Microsoft Security Response Center. CVE-2018-8453 | Win32k Elevation of Privilege Vulnerability [Internet]. Security TechCenter. 2018 [cited 2018 Oct 15]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453
4. Paganini P. CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East [Internet]. Security Affairs. 2018 [cited 2018 Oct 15]. Available from: https://securityaffairs.co/wordpress/77003/apt/cve-2018-8453-win-0day.html
5. Beltrov M. CVE-2018-8453: Microsoft Windows Zero-Day Vulnerability Used in Attacks Worldwide [Internet]. How to, Technology and PC Security Forum | SensorsTechForum.com. 2018 [cited 2018 Oct 15]. Available from: https://sensorstechforum.com/cve-2018-8453-microsoft-windows-zero-day-vulnerability-used-attacks-worldwide/