Chinese cyber attack sparks alert over six-year-old MS vuln

The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a Microsoft vulnerability dating back to 2018 to its Known Exploited Vulnerabilities (KEV) catalogue after evidence emerged that it is being used in an attack chain by the China-backed APT41 advanced persistent threat group.

CVE-2018-0824 was first addressed by Microsoft in the May 2018 Patch Tuesday update. It is a remote code execution (RCE) flaw in Microsoft COM for Windows resulting from a failure to properly handle serialised objects.

To successfully take advantage of it, an attacker must convince an at-risk end-user to open and run a specially crafted file or script to perform actions, which could be achieved either via a phishing attack or by luring them to a compromised website.

Back in 2018, Microsoft said the vulnerability was neither publicly disclosed nor known to be exploited, and the risk of this happening appeared to be relatively low. However, on 1 August 2024, Cisco’s Talos threat research unit disclosed evidence of a malicious campaign by APT41 that leveraged CVE-2018-0824 in the attack chain.

This campaign appears to have started in mid-2023 and was aimed at a government-affiliated research institute located in Taiwan, in which APT41 delivered the ShadowPad malware, Cobalt Strike and other custom tools for post-compromise activity.

As part of the attack, researchers also discovered that APT41 created a tailored loader to inject a proof-of-concept (PoC) malware, dubbed UnmarshalPwn, that exploits CVE-2018-0824 directly into memory. In this way they were able to effectively elevate their privileges within the victim’s systems.

The Talos team, comprising Joey Chen, Ashley Shen and Vitor Ventura, said that APT41 may have already used the same attack chain against others.

“With the artifacts we found in this campaign, we pivoted and discovered some samples and infrastructure that were likely used by the same threat actors but in different campaigns,” they said.

“Although we don’t have further visibility into more details about these campaigns at the moment, we hope that by revealing this information, it would empower the community to connect the dots and leverage these insights for additional investigations.”

CISA’s KEV catalogue is a resource primarily designed to enforce prompt and effective patching across agencies of the US federal government, which are legally bound to implement its guidance within a specific timeframe – in this instance by 26 August 2024, three weeks from now.

However, the addition of an exploited vulnerability to the list is a signal that all organisations should be aware of and address in short order. More information on the attack chain and analysis of the tools used against the Taiwanese victim are available from Cisco Talos.