Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Microsoft COM for Windows, tracked as CVE-2018-0824, to its Known Exploited Vulnerabilities catalog. This vulnerability allows remote code execution through deserialization of untrusted data, posing significant risks to affected systems.
Threat Actor: APT41 | APT41
Victim: Taiwanese government-affiliated research institute | Taiwanese government-affiliated research institute
Key Point :
- CVE-2018-0824 is a deserialization vulnerability in Microsoft COM for Windows with a CVSS score of 7.5.
- APT41 exploited this vulnerability to deliver malware and achieve local privilege escalation in a recent attack on a Taiwanese research institute.
- CISA mandates federal agencies to address this vulnerability by August 26, 2024, to safeguard their networks.
- Experts recommend that private organizations also review and mitigate vulnerabilities listed in the CISA catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a deserialization of untrusted data vulnerability in Microsoft COM for Windows, tracked as CVE-2018-0824 (CVSS score of 7.5), to its Known Exploited Vulnerabilities (KEV) catalog.
A deserialization of untrusted data vulnerability arises when an application deserializes data from an untrusted source without proper validation. Deserialization is the process of converting data from a serialized format (like JSON or XML) back into an object or data structure in memory.
“A remote code execution vulnerability exists in “Microsoft COM for Windows” when it fails to properly handle serialized objects.” reads the advisory published by Microsoft.
“An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability.”
According to the advisory, an attacker can trigger the issue by tricking the victim into visiting a website by clicking a link and then convincing the user to open the specially crafted file.
This week, Cisco Talos researchers reported that the China-linked group compromised a Taiwanese government-affiliated research institute. The experts attributed the attack with medium confidence to the APT41 group.
The campaign started as early as July 2023 and threat actors delivered the ShadowPad malware, Cobalt Strike, and other post-exploitation tools. Talos also discovered that APT41 created a custom loader to inject a proof-of-concept for CVE-2018-0824 directly into memory. The threat actors used a remote code execution vulnerability to achieve local privilege escalation.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by August 26, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)