Barkly vs Malware
Jonathan Crowe
May 2018

Double Kill Exploit May Be Heading for Widespread Abuse

Double-kill-zero-day-exploit

Photo by Deborah Austin

Microsoft's May 2018 Patch Tuesday addressed two zero-day vulnerabilities being actively weaponized in the wild — Barkly blocks attempts to exploit them both.

Among the 67 vulnerabilities that Microsoft released patches for this month, two garner special attention for being leveraged in active attack campaigns. Now, with more details available and working PoC exploit code released, it's unfortunately clear that both have the potential for widespread abuse. 

Here's what you need to know.

UPDATE 5/25/18: Just three days after PoC exploit code for Double Kill (CVE-2018-8174) was shared, researchers have already spotted it being incorporated into the RIG exploit kit. Organizations should be prepared for exposure to this exploit to seriously ramp up. 

UPDATE 5/29/18: CVE-2018-8174 has now been incorporated into ThreadKit, an exploit builder kit that allows criminals with little-to-no technical expertise to create weaponized Microsoft Office documents. It appears that criminals can purchase the CVE-2018-8174 exploit option for $400. 

CVE-2018-8174: Windows VBScript Engine Remote Code Execution Vulnerability

Quick facts

  • What it is: A vulnerability in the way the VBScript engine handles objects in memory. Exploiting the vulnerability can allow attackers to execute code with the same privileges as the current user. 
  • Severity: Critical. This is considered the highest priority issue addressed in Microsoft's May updates.
  • Systems it affects: All currently supported versions of Windows. 
  • Fix: Microsoft patched this vulnerability as part of its May 2018 updates (details here). For systems that can't be patched right away, Barkly blocks attempts to exploit this vulnerability.  

Details

CVE-2018-8174, also known as "Double Kill", was discovered in late April by researchers at Kaspersky and the Chinese security firm Qihoo360 Core. Both groups independently spotted the vulnerability being exploited in the wild in similar attacks, and notified Microsoft accordingly.  

Double Kill is an example of a use-after-free vulnerability, a type of memory corruption issue that results from situations where a pointer references an object that's been prematurely or already freed. Attackers can take advantage of these situations to reallocate memory and take early steps towards gaining arbitrary read/write access, hijacking execution flows, and eventually achieving code execution. 

In the case of Double Kill, the use-after-free vulnerability is in the VBScript engine (as Kaspersky researchers note in their technical write-up, the specific issue is incorrect object lifetime handling in VBScript's Class_Terminate method). 

Attacks can be instigated via malicious websites or Microsoft Office documents

The attacks seen in the wild were instigated via spear phishing emails with malicious RTF document attachments. The documents contained an OLE object that, once activated, downloads and renders an HTML page directly through mshtml.dll, a library that contains the engine behind Internet Explorer. As the Kasperksy write-up points out, this technique allows attackers to successfully load and render a web page from a Word document using the IE engine — even if IE isn't the default browser on the victim's machine. 

The web page contains VBScript that automatically triggers and leverages the exploit to download a payload to the victim's machine. In the case of the attacks the Qihoo360 Core team analyzed, that payload included three backdoors, all heavily obfuscated and deployed via a variety of evasive techniques (UAC bypass, reflective DLL loading, fileless execution, and steganography). 

As Microsoft clarifies, while the attacks seen in the wild utilized RTF documents, attackers could just as easily trick a victim into visiting a website with the VBScript embedded, opening the door for drive-by-downloads and malvertising. 

What makes this exploit technique so uniquely dangerous — and why it's likely to see wider adoption

The abuse of OLE to successfully load an IE exploit in Word is a new technique that researchers fear may see heavy adoption, especially since it works regardless of whether IE is set as the default browser. 

While Microsoft has been gradually clamping down on macro abuse, controls for limiting OLE execution have remained comparatively limited , despite the fact that they provide attackers with equally-dangerous opportunities for retrieving and deploying malware. Taking OLE out of the equation also doesn't remove the danger of CVE-2018-8174 being exploited via visits to malicious or compromised websites. 

Despite being patched, attackers likely won't waste any time putting this exploit to use. For one thing, working PoC exploit code has already been released on GitHub.

For another, it's not as if every organization is a rush to apply Microsoft patches. Especially not after the confusion and disruption caused by Meltdown and Spectre and the bungled fixes that have followed. In fact, 72% of organizations we surveyed in February said that, following Meltdown and Spectre, they are likely to roll out patches more slowly in the future.  

As Kasperksy researchers put it, "We expect this vulnerability to become one of the most exploited in the near future, as it won’t be long until exploit kit authors start abusing it in both drive-by (via browser) and spear-phishing (via document) campaigns."

UPDATE 5/25/18: Concerns this exploit could see broader deployment are already beginning to be confirmed. Researchers have spotted Double Kill being incorporated into the RIG exploit kit

UPDATE 5/29/18: CVE-2018-8174 has also been incorporated into the ThreadKit exploit builder, meaning criminals with little-to-no technical expertise can now create and deploy Word documents that exploit it. 

Barkly blocks attempts to exploit CVE-2018-8174 (aka Double Kill)

Double-Kill-CVE-2018-8174-PoCFor those who can't patch right away, Barkly blocks attempts to exploit this vulnerability by providing protection against stack pivots and other unauthorized stack manipulation. It's another powerful example of Barkly's approach to blocking not just malware, but the underlying techniques that attackers rely on to compromise and exploit systems in the first place. 

CVE-2018-8120: Win32k Elevation of Privilege Vulnerability

Quick facts

  • What it is: A vulnerability in the way the Win32k component handles objects in memory. Exploiting the vulnerability can allow attackers to achieve privilege escalation. 
  • Severity: Important
  • Systems it affects: Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems 
  • Fix: Microsoft patched this vulnerability as part of its May 2018 updates (details here). For systems that can't be patched right away, Barkly blocks attempts to exploit this vulnerability, as well.

Details

CVE-2018-8120 is a type of escalation of privilege vulnerability caused by a NULL pointer dereference. By manipulating a process into mapping the NULL page, attackers can force a kernel NULL dereference and successfully execute code in kernel mode, effectively gaining control over the system with the ability to install programs; view, change, or delete data; or create new accounts with full user rights.

A technical write-up of this particular vulnerability can be found here.

Exploited in the wild, but no specific details regarding attacks

While Microsoft confirmed that attackers were also actively exploiting CVE-2018-8120 in the wild, no information was given regarding how widespread the attacks are or how they are being delivered. It was simply confirmed that, in order to exploit the vulnerability, attackers first need to find a way to gain access to a target system. 

As is the case with Double Kill, now that working PoC exploit code is available on GitHub, it's reasonable to expect it's only a matter of time before more attacks take advantage of this vulnerability.  

Barkly blocks attempts to exploit CVE-2018-8120

Barkly provides broad protection against escalation of privilege exploits like this by blocking a wide variety of underlying attack techniques. In this case specifically, Barkly blocks attempts to exploit NULL pointer deference vulnerabilities as well as the tactic of token stealing.

As a result, Barkly protects otherwise vulnerable machines from attempts to exploit CVE-2018-8120.  

Protection even when patching isn't immediately possible

These two zero-day exploits are powerful reminders of how attackers are constantly seeking out new vulnerabilities and incorporating new tactics for exploiting them. 

When new vulnerabilities are disclosed patching is ultimately the most effective longterm solution. But rather waiting for patches to be developed or racing to apply them at all costs, Barkly customers can approach situations like this more carefully, taking the time to test and deploy updates in stages knowing they're protected from these exploits and entire categories of other exploit techniques like them. 

Find out what other threats Barkly can protect you from, and see how it can make managing endpoint security a whole lot easier. Learn more.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.