This post is also available in: English (Englisch)
Microsoft has released a security fix to address the vulnerability (CVE-2018-8174), which the Chinese Internet security company Qihoo 360 Technology claimed in April was used in limited, targeted zero-day APT attacks. The remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. Successful exploitation could allow an attacker to gain the same user rights as the current user. Along with this patch, security researchers released both a Point of Concept (PoC) code and technical details analyzing the APT-related targeted attack, which used an email with an RTF file attached to it as the attack vector. Now that these details are public, it would be trivial for threat actors to combine this vulnerability with known hacking tools in order to broaden exploitation.
We anticipate seeing an increase in criminal activity, not limited to APTs, exploiting the Microsoft vulnerability (CVE-2018-8174) given the observation of the following Early Warning Indicators (EWIs):
Due to the ease of exploitation and criticality of the vulnerability, we recommend:
We are currently updating our Collection Plan to process relevant, need-to-know data in an effort to promptly alert our customers as soon as those vulnerabilities are exploited in the wild.
To exploit, an attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and convince a user to view the website. A second scenario could involve an attacker embedding an ActiveX control marked „safe for initialization“ in an application or Microsoft Office document that hosts the IE rendering engine. Lastly, an attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements to serve a user specially crafted content.
Internet Explorer Exploit (CVE-2018-8174)
Domain & IP
autosoundcheckers[.]com (resolves to 78[.]128[.]92[.]242)
 Microsoft May 8th, CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability
 Qihoo 360, April 20th, 360’s World’s First Capture of New Office Attack Using Browser Double Kill Vulnerability (translated)
 Qihoo 360, May 9, Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack (translated)
 Kaspersky Labs, May 9, The King is dead. Long live the King! Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174
Cyberangriffe erfordern eine umgehende Reaktion. Wir sind für Sie erreichbar. Rund um die Uhr. Weltweit. Und treffen mit Ihnen gemeinsam die richtigen Entscheidungen zur bestmöglichen Schadensabwehr. Rufen Sie uns an! In jedem Fall.