WARNING #1099 – Windows/IE 0day Patch – Current and upcoming potential exploitation in the wild

9. May 18

Microsoft has released a security fix[1] to address the vulnerability (CVE-2018-8174), which the Chinese Internet security company Qihoo 360 Technology claimed in April was used in limited, targeted zero-day APT attacks[2]. The remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. Successful exploitation could allow an attacker to gain the same user rights as the current user. Along with this patch, security researchers released both a Point of Concept (PoC) code and technical details analyzing the APT-related targeted attack, which used an email with an RTF file attached to it as the attack vector. Now that these details are public, it would be trivial for threat actors to combine this vulnerability with known hacking tools in order to broaden exploitation.

We anticipate seeing an increase in criminal activity, not limited to APTs, exploiting the Microsoft vulnerability (CVE-2018-8174) given the observation of the following Early Warning Indicators (EWIs):

  1. Technical details of the attack exploiting the vulnerability [3]
  2. Publicly available code for crafting malware exploiting CVE-2018-8174) [4]

Due to the ease of exploitation and criticality of the vulnerability, we recommend:

  1. IT Administrators patch their systems as soon as possible
  2. Use the provided Indicator of Compromise (found below) to look for past exploitation

We are currently updating our Collection Plan to process relevant, need-to-know data in an effort to promptly alert our customers as soon as those vulnerabilities are exploited in the wild.

Other details:

To exploit, an attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and convince a user to view the website. A second scenario could involve an attacker embedding an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. Lastly, an attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements to serve a user specially crafted content.

Indicators of compromise:

RTF document
b48ddad351dd16e4b24f3909c53c8901

Internet Explorer Exploit (CVE-2018-8174)
15eafc24416cbf4cfe323e9c271e71e7

Payload
1ce4a38b6ea440a6734f7c049f5c47e2

Domain & IP
autosoundcheckers[.]com (resolves to 78[.]128[.]92[.]242)

References:

[1] Microsoft May 8th, CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability

[2] Qihoo 360, April 20th, 360’s World’s First Capture of New Office Attack Using Browser Double Kill Vulnerability (translated)

[3] Qihoo 360, May 9, Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack (translated)

[4] Kaspersky Labs, May 9, The King is dead. Long live the King! Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174