A zero-day vulnerability in certain editions of Windows operating system helped at least one advanced threat group increase their privileges on compromised machines until Microsoft patched it with this month's release of security updates.
The zero-day bug affects both 32- and 64-bit Windows 7 and Server 2008 systems; it stems from improper handling of calls to Win32k.sys. Properly exploited, the glitch allows an attacker to install programs, view or alter data, or create new user accounts by running arbitrary code in the context of the local system.
Researchers at Kaspersky discovered this privilege escalation vulnerability, now tracked as CVE-2018-8589, following an alert from the Automatic Exploit Prevention (AEP) component. They reported the glitch to Microsoft on October 17.
"While the delivery method is still unknown, the exploit was executed by the first stage of a malware installer, in order to gain the necessary privileges for persistence on the victim’s system," reads a technical blog post from the company.
The zero-day exploit discovered by Kaspersky AEP targeted only 32-bit variant of Windows 7. The analysts have not determined its developer(s), but they believe it may have been used by more than one adversary in few attacks against entities in the Middle East.
"According to Kaspersky Lab experts, there is no clear insight as to which actor(s) may be behind the attacks," Kaspersky stated in a press release shared with BleepingComputer. "However, the developed exploit is being used by at least one APT actor."
Attempting to exploit the vulnerability on machines running with the latest security updates results in crashing the system.
This is the second consecutive zero-day in Win32k.sys that Microsoft patches following a report from Kaspersky. The previous bug was discovered in August and it received the identification number CVE-2018-8453.
The two vulnerabilities targeted victims in the same region and were exploited during the initial stages of the attack to allow persistence on the machine.
Kaspersky said of the code exploiting the first bug that it was of "high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4."
Although there is no reliable connection, the malware analysts noticed that CVE-2018-8453 resembled an older vulnerability used by the Sofacy APT group, also known as Sednit, Fancy Bear, APT28, and Strontium; the threat actor's "hunting ground" is the Middle East, Europe, and Asia.