Microsoft's May 2018 Patch Tuesday addressed two zero-day vulnerabilities being actively weaponized in the wild — Barkly blocks attempts to exploit them both.
Among the 67 vulnerabilities that Microsoft released patches for this month, two garner special attention for being leveraged in active attack campaigns. Now, with more details available and working PoC exploit code released, it's unfortunately clear that both have the potential for widespread abuse.
Here's what you need to know.
UPDATE 5/25/18: Just three days after PoC exploit code for Double Kill (CVE-2018-8174) was shared, researchers have already spotted it being incorporated into the RIG exploit kit. Organizations should be prepared for exposure to this exploit to seriously ramp up.
UPDATE 5/29/18: CVE-2018-8174 has now been incorporated into ThreadKit, an exploit builder kit that allows criminals with little-to-no technical expertise to create weaponized Microsoft Office documents. It appears that criminals can purchase the CVE-2018-8174 exploit option for $400.
ThreadKit += CVE-2018-8174 for 400USD (announced by Author yesterday). See this "Cobalt Group" doc: af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5 via @threatinsight— Kafeine (@kafeine) May 28, 2018
CVE-2018-8174, also known as "Double Kill", was discovered in late April by researchers at Kaspersky and the Chinese security firm Qihoo360 Core. Both groups independently spotted the vulnerability being exploited in the wild in similar attacks, and notified Microsoft accordingly.
Double Kill is an example of a use-after-free vulnerability, a type of memory corruption issue that results from situations where a pointer references an object that's been prematurely or already freed. Attackers can take advantage of these situations to reallocate memory and take early steps towards gaining arbitrary read/write access, hijacking execution flows, and eventually achieving code execution.
In the case of Double Kill, the use-after-free vulnerability is in the VBScript engine (as Kaspersky researchers note in their technical write-up, the specific issue is incorrect object lifetime handling in VBScript's Class_Terminate method).
The attacks seen in the wild were instigated via spear phishing emails with malicious RTF document attachments. The documents contained an OLE object that, once activated, downloads and renders an HTML page directly through mshtml.dll, a library that contains the engine behind Internet Explorer. As the Kasperksy write-up points out, this technique allows attackers to successfully load and render a web page from a Word document using the IE engine — even if IE isn't the default browser on the victim's machine.
The web page contains VBScript that automatically triggers and leverages the exploit to download a payload to the victim's machine. In the case of the attacks the Qihoo360 Core team analyzed, that payload included three backdoors, all heavily obfuscated and deployed via a variety of evasive techniques (UAC bypass, reflective DLL loading, fileless execution, and steganography).
As Microsoft clarifies, while the attacks seen in the wild utilized RTF documents, attackers could just as easily trick a victim into visiting a website with the VBScript embedded, opening the door for drive-by-downloads and malvertising.
The abuse of OLE to successfully load an IE exploit in Word is a new technique that researchers fear may see heavy adoption, especially since it works regardless of whether IE is set as the default browser.
While Microsoft has been gradually clamping down on macro abuse, controls for limiting OLE execution have remained comparatively limited , despite the fact that they provide attackers with equally-dangerous opportunities for retrieving and deploying malware. Taking OLE out of the equation also doesn't remove the danger of CVE-2018-8174 being exploited via visits to malicious or compromised websites.
For another, it's not as if every organization is a rush to apply Microsoft patches. Especially not after the confusion and disruption caused by Meltdown and Spectre and the bungled fixes that have followed. In fact, 72% of organizations we surveyed in February said that, following Meltdown and Spectre, they are likely to roll out patches more slowly in the future.
As Kasperksy researchers put it, "We expect this vulnerability to become one of the most exploited in the near future, as it won’t be long until exploit kit authors start abusing it in both drive-by (via browser) and spear-phishing (via document) campaigns."
UPDATE 5/25/18: Concerns this exploit could see broader deployment are already beginning to be confirmed. Researchers have spotted Double Kill being incorporated into the RIG exploit kit.incorporated into the ThreadKit exploit builder, meaning criminals with little-to-no technical expertise can now create and deploy Word documents that exploit it.
For those who can't patch right away, Barkly blocks attempts to exploit this vulnerability by providing protection against stack pivots and other unauthorized stack manipulation. It's another powerful example of Barkly's approach to blocking not just malware, but the underlying techniques that attackers rely on to compromise and exploit systems in the first place.
CVE-2018-8120 is a type of escalation of privilege vulnerability caused by a NULL pointer dereference. By manipulating a process into mapping the NULL page, attackers can force a kernel NULL dereference and successfully execute code in kernel mode, effectively gaining control over the system with the ability to install programs; view, change, or delete data; or create new accounts with full user rights.
A technical write-up of this particular vulnerability can be found here.
While Microsoft confirmed that attackers were also actively exploiting CVE-2018-8120 in the wild, no information was given regarding how widespread the attacks are or how they are being delivered. It was simply confirmed that, in order to exploit the vulnerability, attackers first need to find a way to gain access to a target system.
As is the case with Double Kill, now that working PoC exploit code is available on GitHub, it's reasonable to expect it's only a matter of time before more attacks take advantage of this vulnerability.
Barkly provides broad protection against escalation of privilege exploits like this by blocking a wide variety of underlying attack techniques. In this case specifically, Barkly blocks attempts to exploit NULL pointer deference vulnerabilities as well as the tactic of token stealing.
As a result, Barkly protects otherwise vulnerable machines from attempts to exploit CVE-2018-8120.
These two zero-day exploits are powerful reminders of how attackers are constantly seeking out new vulnerabilities and incorporating new tactics for exploiting them.
When new vulnerabilities are disclosed patching is ultimately the most effective longterm solution. But rather waiting for patches to be developed or racing to apply them at all costs, Barkly customers can approach situations like this more carefully, taking the time to test and deploy updates in stages knowing they're protected from these exploits and entire categories of other exploit techniques like them.
Find out what other threats Barkly can protect you from, and see how it can make managing endpoint security a whole lot easier. Learn more.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.