Malware

CVE-2017-0022 Windows Zero-Day flaw used by AdGholas hackers and it was included in Neutrino EK

The recently patched CVE-2017-0022 Windows Zero-Day vulnerability has been exploited by threat actors behind the AdGholas malvertising campaign and Neutrino EK since July 2016.

Microsoft has fixed several security flaws with the March 2017 Patch Tuesday updates. According to security experts at Trend Micro, the list of fixed vulnerabilities includes three flaws that had been exploited in the wild since last summer.

One of the vulnerabilities, is an XML Core Services information disclosure vulnerability, tracked as CVE-2017-0022, that can be exploited by attackers by tricking victims into clicking on a specially crafted link.

“An information vulnerability exists when Microsoft XML Core Services (MSXML) improperly handles objects in memory. Successful exploitation of the vulnerability could allow the attacker to test for the presence of files on disk.” reads the security advisory published by Microsoft.

“To exploit the vulnerability, an attacker could host a specially-crafted website that is designed to invoke MSXML through Internet Explorer. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or a link in an Instant Messenger request that would then take the user to the website.”

The flaw was discovered by a joint investigation conducted by security researchers at Trend Micro and ProofPoint, it was reported to Microsoft in September 2016.

Who did exploit the CVE-2017-0022 flaw?

According to the security researchers at Trend Micro, the zero-day vulnerability has been exploited in the AdGholas malvertising campaign since July 2016. The exploit code of the flaw was added to the Neutrino exploit kit in September 2016.

The threat actor behind the AdGholas malvertising campaign was notable for its use of steganography and careful targeting of the massive volume of malicious ads and impressions and its ability to avoid detection of researchers.

Initially the attackers leveraged the CVE-2016-3298 and CVE-2016-3351 flaws to avoid detection, now the experts at TrendMicro speculate they used the CVE-2017-0022 flaw for the same purpose.

“This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same campaign, which were addressed by previous patches.” reads the analysis published by TrendMicro.

“An attacker exploiting CVE-2017-0022 could use phishing attacks to lure potential targets to malicious websites. Successful exploitation of this vulnerability could allow a cybercriminal access to information on the files found in the user’s system.” explained the experts from TrendMicro. “In particular, the attacker would be able to detect if the system is using specific security solutions—especially ones that analyze malware.”

Trend Micro has published a detailed analysis of the CVE-2017-0022 flaw and of the attack chain that exploits it in a malvertising campaign leveraging the Neutrino exploit kit.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2017-0022, AdGholas malvertising campaign)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

39 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.