Chinese cyber attack sparks alert over six year old MS vuln

The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has recently added a Microsoft vulnerability from 2018 to its Known Exploited Vulnerabilities (KEV) catalogue. This decision was made after evidence surfaced indicating that the China-backed APT41 advanced persistent threat group is using this vulnerability in their attack chain.

The vulnerability, known as CVE-2018-0824, was initially addressed by Microsoft in the May 2018 Patch Tuesday update. It is a remote code execution (RCE) flaw in Microsoft COM for Windows, resulting from a failure to properly handle serialized objects.

To successfully exploit this vulnerability, an attacker must persuade an at-risk end-user to open and run a specially-crafted file or script. This could be achieved through methods such as phishing attacks or luring them to a compromised website.

While Microsoft stated in 2018 that the vulnerability was not publicly disclosed or known to be exploited, recent findings by Cisco’s Talos threat research unit revealed that APT41 utilized CVE-2018-0824 in a malicious campaign targeting a government-affiliated research institute in Taiwan.

As part of this attack, APT41 utilized tools such as ShadowPad malware, Cobalt Strike, and a custom loader to inject a PoC malware called UnmarshalPwn into memory. This allowed them to elevate their privileges within the victim’s systems.

The Talos team believes that APT41 may have used similar attack chains in other campaigns as well. They hope that by sharing this information, the cybersecurity community can collaborate to investigate further.

CISA’s KEV catalogue is primarily aimed at ensuring prompt and effective patching within US federal government agencies. Organizations are expected to implement these patches within a specific timeframe, including the CVE-2018-0824 vulnerability by 26 August 2024.

It is essential for all organizations to be aware of this exploited vulnerability and address it promptly. For more information on the attack chain and analysis of the tools used in the Taiwanese victim’s case, refer to Cisco Talos.