Zero-day vulnerability in Windows

Memory corruption
CVE-2018-8174

Vulnerability exploitation was detected by Qihoo 360. The company uncovered a zero-day vulnerability in IE, dubbed ‘double play’, that was triggered by weaponized MS Office documents. The experts have been observing an APT group targeting a limited number of users exploiting the zero-day flaw.

Hackers can use the ‘double play’ flaw to implant a backdoor Trojan and take full control over the vulnerable machine.

The APT group was delivering an Office document with a malicious web page embedded, once the user opens the document, the exploit code and malicious payloads are downloaded and executed from a remote server. The later phase of this attack leverages a public UAC bypass technique and uses file steganography and memory reflection loading to avoid traffic monitoring and achieve loading with no files. This ‘double play’ vulnerability may affect the latest versions of Internet Explorer and applications that are with IE kernel.

For now most of the victims are located in Asia.
In May 2018 the vulnerability was added into the RIG exploit kit, after the PoC code became publicly available.

Known malware:

RIG exploit kit

Vulnerability details

Advisory: SB2018042106 - Remote code execution in Microsoft VBScript engine

Vulnerable component: Windows

CVE-ID: CVE-2018-8174

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the VBScript engine. A remote attacker can trick the victim into visiting a specially crafted website or open a malicious Office file and execute arbitrary code on the target system.

Note: the vulnerability is being actively exploited in the wild against victims in Asia region. The vulnerability is dubbed "double play".

Latest references in media:

- Cobalt Bank Robbers Use New ThreadKit Malicious Doc Builder [2018-12-11 16:20:29]

- Backdoors Up 44%, Ransomware Up 43% from 2017 [2018-12-05 00:10:06]

- HookAds Malvertising Installing Malware via the Fallout Exploit Kit [2018-11-13 17:30:30]

- Internet Explorer scripting engine becomes North Korean APT's favorite target in 2018 | ZDNet [2018-11-12 20:50:08]

- The August 2018 Security Update Review [2018-10-13 17:41:13]

- New CVE-2018-8373 Exploit Spotted [2018-09-26 16:10:16]

- Patch Tuesday, May 2018 [2018-09-26 07:13:27]

- CVE-2018-8174 and Forcing Internet Explorer Exploits [2018-09-26 07:13:18]

- New CVE-2018-8373 Exploit Spotted in the Wild [2018-09-25 14:40:18]

- ShadowTalk Update – 09.17.2018 [2018-09-17 17:21:48]

- Cobalt crime gang is using again CobInt malware in attacks on former soviet states [2018-09-13 10:00:11]

- Multi-Stage Malware Heavily Used in Recent Cobalt Attacks [2018-09-13 01:50:09]

- New 'Fallout' EK Brings Return of Old Ransomware [2018-09-11 01:10:06]

- New Campaign Brings Return of Old Malware [2018-09-11 00:20:06]

- ShadowTalk Update – 09.10.2018 [2018-09-10 18:11:39]

- Fallout exploit kit appeared in the threat landscape in malvertising campaigns [2018-09-10 09:10:10]

- Nestled in hacked sites–New Fallout Exploit Kit injecting GandCrab Ransomware or Redirecting to PUPs [2018-09-09 13:20:55]

- Researchers Discover New "Fallout" Exploit Kit [2018-09-07 20:10:11]

- Hackers Launching GandCrab Ransomware via New Fallout Exploit Kit [2018-09-07 07:10:55]

- New Fallout Exploit Kit Drops GandCrab Ransomware or Redirects to PUPs [2018-09-07 00:30:20]

- Fallout Exploit Kit Used in Malvertising Campaign to Deliver Gandcrab Ransomware [2018-09-06 17:40:07]

- US is the world's hotspot for malicious websites [2018-09-06 15:40:20]

- USA Is the Top Country for Hosting Malicious Domains According to Report [2018-09-05 16:20:30]

- USA Is the Top Country for Hosting Malicious Domains, Research Shows [2018-09-05 16:10:23]

- USA Is the Top Country for Hosting Malicious Domains, Research [2018-09-05 16:00:22]

- New Silence hacking group suspected of having ties to cyber-security industry | ZDNet [2018-09-05 13:30:10]

- Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks [2018-08-30 21:40:07]

- Ransomware as a service Princess Evolution looking for affiliates [2018-08-23 09:11:14]

- North Korean Hackers Exploit Recently Patched Zero-Day [2018-08-20 21:00:10]

- North Korea-linked Dark Hotel APT leverages CVE-2018-8373 exploit [2018-08-19 18:00:08]

- Zero-Day In Microsoft's VBScript Engine Used By Darkhotel APT [2018-08-18 17:10:17]

- Zero-Day In Microsoft’s VBScript Engine Used By Darkhotel APT [2018-08-18 16:30:17]

- Microsoft patches zero-day exploit against Internet Explorer [2018-08-15 19:50:58]

- Use-after-free (UAF) Vulnerability CVE-2018-8373 in VBScript Engine Affects Internet Explorer to Run Shellcode [2018-08-15 14:40:15]

- August 2018 Patch Tuesday: Microsoft fixes two actively exploited zero-days [2018-08-15 11:01:19]

- August 2018 Patch Tuesday: Microsoft fixes two actively exploited zero-days [2018-08-15 10:50:09]

- Microsoft Patches Zero-Day Flaws in Windows, Internet Explorer [2018-08-15 07:50:10]

- August Patch Tuesday: A Tale of Two Zero-Days [2018-08-15 07:40:15]

- Ransomware as a Service Princess Evolution Looking for Affiliates [2018-08-09 15:30:20]

- Hackers attacked the famous Russian media for the second time [2018-08-09 09:31:00]

- IT threat evolution Q2 2018 [2018-08-06 12:01:04]

- IT threat evolution Q2 2018. Statistics [2018-08-06 12:00:56]

- New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel [2018-07-26 17:40:17]

- Shadow Talk Update – 05.14.2018 [2018-07-25 16:25:00]

- Shadow Talk Update – 05.29.2018 [2018-07-25 16:25:00]

- Shadow Talk Update – 06.11.2018 [2018-07-25 16:25:00]

- Five Threats to Financial Services: Banking Trojans [2018-07-25 16:25:00]

- Links 25/7/2018: Ubuntu 18.10′s New Community Theme, Slackware Creator ‘in Strife’ [2018-07-25 09:03:42]

- If at first you, er, make things worse, you're probably Microsoft: Bug patch needed patching [2018-07-23 23:40:02]

- That IE Zero-Day From May Needed a Second Patch in July [2018-07-23 15:00:19]

- Magniber ransomware spreads in other Asian countries [2018-07-18 13:11:02]

- Magniber Ransomware Improves Obfuscation and Expands Asian Countries [2018-07-17 08:50:52]

- Asian APT Groups Most Active in Q2 [2018-07-10 23:11:01]

- Asian APT Groups Most Active in Q2 [2018-07-10 23:00:05]

- Asian Countries Frequent Targets of APT Attacks [2018-07-10 19:00:06]

- APT Trends Report Q2 2018 [2018-07-10 12:00:56]

- New Smoke Loader campaign aims at stealing multiple credentials from many applications [2018-07-05 20:30:11]

- Delving deep into VBScript: Analysis of CVE-2018-8174 exploitation [2018-07-03 15:01:02]

- Down but Not Out: A Look Into Recent Exploit Kit Activities [2018-07-02 16:00:19]

- RIG Exploit Kit operators leverage PROPagate Injection Technique to deliver Miner [2018-07-02 08:13:23]

- RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique [2018-06-28 18:30:04]

- Microsoft Office: The Go-To Platform for Zero-Day Exploits [2018-06-21 19:21:10]

- Attackers Pick Microsoft Office for Zero-Day Exploits [2018-06-21 19:10:11]

- Microsoft Office: The Go-To Platform for Zero-Day Exploits [2018-06-21 19:10:08]

- Exploit kits: Spring 2018 review [2018-06-19 05:41:20]

- Analysis of the evolution of exploit kits in the threat landscape [2018-06-14 09:10:09]

- Exploit Kits Target Recent Flash, Internet Explorer Zero-Days [2018-06-13 18:00:09]

- Security Affairs newsletter Round 166 – News of the week [2018-06-10 07:01:32]

- A Zero-Day Flaw in IE is being exploited by RIG Exploit Kit - Latest Hacking News [2018-06-06 00:57:52]

- Internet Explorer (IE) RCE Flaw in Rig Exploit Kit to Hack Windows PC [2018-06-04 08:51:12]

- Crooks included the code for CVE-2018-8174 IE Zero-Day in the RIG Exploit Kit [2018-06-03 09:36:36]

- IE Zero-Day Adopted by RIG Exploit Kit After Publication of PoC Code [2018-06-01 16:01:22]

- IE Zero-Day Adopted by RIG Exploit Kits After Publication of PoC Code [2018-06-01 15:24:24]

- Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner [2018-06-01 01:13:09]

- Windows 'Double Kill' Attack Code Found in RIG Exploit Kit [2018-05-30 21:30:09]

- Patch Tuesday, May 2018 [2018-05-29 03:59:21]

- CVE-2018-8174 and Forcing Internet Explorer Exploits [2018-05-29 03:58:29]

- Patch Tuesday, May 2018 [2018-05-20 07:26:36]

- CVE-2018-8174 and Forcing Internet Explorer Exploits [2018-05-20 07:22:25]

- Lots of little Microsoft patches, but nothing for this month’s big bugs — and no Previews [2018-05-16 15:46:42]

- CVE-2018-8174 and Forcing Internet Explorer Exploits [2018-05-16 03:42:01]

- Security Affairs newsletter Round 162 – News of the week [2018-05-13 19:48:52]

- Internet Explorer (IE) Zero-day Vulnerability to Perform Remote Hacking [2018-05-13 09:37:28]

- Patch Tuesday problems, fixes — but no cause for immediate alarm [2018-05-10 20:05:04]

- Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack [2018-05-10 07:40:45]

- Patch now! Microsoft and Adobe release critical security updates [2018-05-09 18:30:02]

- Windows critical flaw: This security bug is under attack right now, says Microsoft | ZDNet [2018-05-09 15:30:08]

- Microsoft Patches Two Zero-Day Flaws this Month [2018-05-09 12:41:56]

- Microsoft Patch Tuesday for May Includes Updates for Actively-Exploited Vulnerabilities [2018-05-09 11:00:33]

- May 2018 Patch Tuesday: Microsoft fixes 2 zero-day flaws reportedly exploited by APT group [2018-05-09 10:16:42]

- Patch Tuesday, May 2018 [2018-05-09 09:13:35]

- Microsoft's May 2018 Patch Tuesday update fixes a total 21 critical vulnerabilities, including two flaws that have been under active attack since last month. [2018-05-09 08:30:07]

- The King is dead. Long live the King! [2018-05-09 08:07:49]

- It's 2018, and a webpage can still pwn your Windows PC – and apps can escape Hyper-V [2018-05-09 03:51:18]

- Microsoft's Patch Tuesday Fixes Two CVEs Under Active Attack [2018-05-08 23:20:01]

- Microsoft Patch Tuesday, May 2018 Edition [2018-05-08 22:58:49]

- May Patch Tuesday Fixes Two Bugs Under Active Attack [2018-05-08 22:55:21]

- Microsoft Patches Two Windows Zero-Day Vulnerabilities [2018-05-08 22:04:29]

- Microsoft May 2018 Patch Tuesday Fixes 67 Security Issues, Including IE Zero-Day [2018-05-08 20:44:45]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.