In October 2018 Kaspersky Lab’s Automatic Exploit Prevention technology, embedded in most of the company’s products, detected a new exploit for a zero-day vulnerability in Microsoft Windows. This was the second consecutive zero-day exploit used in a series of cyber-attacks in the Middle East in just one month. After being reported by Kaspersky Lab, the vulnerability was patched by Microsoft on 13 November.
Attacks that go through zero-day vulnerabilities are considered to be one of the most dangerous, as they involve the exploitation of an undiscovered and unfixed weakness, which means that they are hard to detect and prevent. If found by criminals, such a vulnerability could be used for the creation of an exploit – a special malicious program that will open access to a whole system. This “hidden threat” attack scenario is widely used by sophicticated actors in APT attacks.
Kaspersky Lab’s analysis into the new exploit led the experts to a previously unknown zero-day vulnerability. While the delivery method is yet unknown, the exploit was executed by the first stage of a malware installer in order to get necessary privileges for persistence on the victim’s system. The exploit allowed targeting only the 32-bit version of Windows 7.
According to Kaspersky Lab experts, there is no clear insight on what actor is behind the attacks, but the developed exploit is used by at least one or more APT actors. For more details please contact intelreports@kaspersky.com.
Upon discovery, Kaspersky Lab’s experts immediately reported the vulnerability to Microsoft.
Just several weeks before that, in early October, another exploit for a zero-day vulnerability in Microsoft Windows was spotted being delivered to the victims via a PowerShell backdoor. Kaspersky Lab technology proactively identified the threat and it was also reported it to Microsoft.
“Autumn 2018 became quite a hot season when it comes to zero-day vulnerabilites. In just a month, we discovered two of their kind and detected two series of attacks in one region. Discreteness of cyberthreat actors’ activities remind us that it is of critical importance for companies to have in their possesion all necessary tools and solutions that would be intelligent enough to protect them from such sophisticated threats. Otherwise, they could become a subject to complex targeted attacks that will come out of nowhere,” said Anton Ivanov, security expert at Kaspersky Lab.
To avoid zero-day exploits Kaspersky Lab recommends implementing the following technical measures:
- If possible, avoid using software that is known to be vulnerable or recently used in cyber-attacks.
- Make sure that the software used in your company is regularly updated to the most recent versions. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes.
- Use a robust security solution such as Kaspersky Endpoint Security for Business that is equipped with behavior-based detection capabilities for effective protection against known and unknown threats, including exploits.
- If your company could become a subject of targeted attacks, use advanced security tools like Kaspersky Anti Targeted Attack Platform (KATA).
- Provide your security team with access to the source of the most recent cyberthreat intelligence.
