According to security firm Kaspersky Labs, an APT group used a now-fixed Windows vulnerability in targeted attacks in the Middle East. Microsoft patched the vulnerability along with 48 other vulnerabilities during another Patch Tuesday.
In an analysis of the vulnerability, labeled CVE-2018-8453, Kaspersky writes that it was used by a group that refers to it as FruityArmor. It would be the second time that this group has deployed a zero-day vulnerability. So far, it would have been an “extremely targeted campaign” with a small number of targets in the Middle East. The security firm attributes the attacks to the group based on a previously used backdoor, which would be used exclusively by FruityArmor, and overlap between the current and previous command and control infrastructure.
Microsoft patched the vulnerability during its monthly patch round, also referred to as Patch Tuesday. The company writes that it is an actively attacked leak and thanks Kaspersky for discovering it. The vulnerability is present in the win32k.sys driver and, according to Microsoft, would allow an attacker to gain elevated privileges on a vulnerable Windows system through privilege escalation. Windows 10, among others, was affected by the leak. According to Kaspersky, the vulnerability was used in malware to gain necessary rights and remain on an infected system.
In its monthly patch round, Microsoft has fixed a total of 49 vulnerabilities, 12 of which are critical. That includes Trend Micro’s Zero Day Initiative in an overview. In it, it lists three vulnerabilities that were publicly known before a patch became available. These are CVE-2018-8423, CVE-2018-8497 and CVE-2018-8431.