Malware

Microsoft revealed that 2 Zero-Days found in March were part of a cyber weapon in an early development stage

Microsoft published technical details of 2 zero-days that have been recently discovered after someone uploaded a weaponized PDF file to VirusTotal.

Security researchers from Microsoft have published technical details of two zero-day vulnerabilities that have been recently discovered after someone uploaded a weaponized PDF file to VirusTotal.

The two issues were addressed by Microsoft with May 2018 Patch Tuesday before threat actors used it in attacks in the wild.

The first zero-day vulnerability is a remote code execution flaw in Adobe Acrobat and Reader (CVE-2018-4990), the second one is a privilege escalation flaw in Microsoft Windows (CVE-2018-8120).

“The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory. ESET provided an analysis of the exploitation routines in the sample PDF.” reads the analysis published by Microsoft.

Microsoft shared the technical details of both the flaw only now because it gave users enough time to update their operating systems and Adobe software.

In late March, experts at ESET analyzed a malicious PDF file that was uploaded on VirusTotal and provided it to the Microsoft security team.

The experts flagged the document “as a potential exploit for an unknown Windows kernel vulnerability.”

The analysis conducted by the Microsoft team revealed that the document includes two different zero-day exploits, one for Adobe Acrobat and Reader and one for Microsoft Windows.

According to Microsoft, the weaponized PDF file was in the early development stage, the code used by attackers appeared a PoC code and the weaponized file did not deliver a malicious payload.

“Although the PDF sample was found in VirusTotal, we have not observed actual attacks perpetrated using these exploits. The exploit was in early development stage, given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code.” reads the analysis published by Microsoft.

Someone combined the two zero-days to build a very powerful attack vector.

The Adobe Acrobat and Reader exploit is included in the document as a specially crafted JPEG 2000 image that contains the JavaScript exploit code used to trigger a double-free vulnerability in the software to run shellcode.

The attackers were trying to chain this exploit with the second Windows kernel exploit to break the Adobe Reader sandbox and run it with elevated privileges.

Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.

The PoC payload used in the sample dropped an empty vbs file in the Startup folder.

“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.concluded ESET.

“Even though the sample does not contain a real malicious final payload, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”

Both Microsoft and ESET published technical details of the two zero-days, both firms also shared the IoCs for the exploits.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – zero-days, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Critical flaw in Cisco ISE impacts cloud deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure

Cisco fixed a critical flaw in the Identity Services Engine (ISE) that could allow unauthenticated…

10 hours ago

Law enforcement seized the carding marketplace BidenCash

U.S. and Dutch authorities took down 145 domains tied to the BidenCash cybercrime marketplace in…

12 hours ago

Ukraine’s military intelligence agency stole 4.4GB of highly classified internal data from Tupolev

Ukraine’s GUR hacked the Russian aerospace and defense company Tupolev, stealing 4.4GB of highly classified…

22 hours ago

HPE fixed multiple flaws in its StoreOnce software

Hewlett Packard Enterprise (HPE) addressed multiple flaws in its StoreOnce data backup and deduplication solution.…

1 day ago

Roundcube Webmail under fire: critical exploit found after a decade

A critical flaw in Roundcube webmail, undetected for 10 years, allows attackers to take over…

1 day ago

U.S. CISA adds Multiple Qualcomm chipsets flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Multiple Qualcomm chipsets flaws to its Known…

1 day ago