On October 9, Microsoft released a monthly security bulletin for October 2018 and released a security update deployment to fix multiple security vulnerabilities in numerous products. In the repair of the security update deployment of Windows 10, the CVE-2018-8453 Win32k privilege vulnerability was highlighted. In August this year, Kaspersky Lab initially observed the activity and found a weakness used by APT organisation FruityArmor for attack activities.
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”
The APT organisation FruityArmor recently used the CVE-2018-8453 vulnerability for attack activities. Kaspersky Lab pointed out that this utilisation is written in high-quality code, and the impact target can include as many versions of Microsoft Windows as possible, including Windows 10 RS4.
“During our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this new set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that FruityArmor is responsible for the attacks leveraging CVE-2018-8453.”