A vulnerability in Windows COM, first discovered in 2018, has become the target of attacks once again. A Chinese hacker group, likely affiliated with the Ministry of State Security of the People’s Republic of China, has exploited this vulnerability in an attack on a research center in Taiwan. Microsoft offers a non-obvious solution to this problem.
Chinese Cybercriminals Are Exploiting A Vulnerability In Windows 10
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the CVE-2018-0824 vulnerability in its catalog of exploited vulnerabilities. This was prompted by a Cisco Talos report indicating that the Chinese group APT41 may have actively used this flaw in their attacks. In short, the vulnerability allows for privilege escalation and remote code execution, putting hundreds of millions of Windows 10 users at risk. Attackers, such as the Chinese group APT41, use this vulnerability to achieve local privilege escalation and remote code execution. They create custom loaders that inject code for CVE-2018-0824 exploitation directly into memory. This allows them to take control of the system.
The remote code execution vulnerability CVE-2018-0824 has a CVSS score of 7.5 and exists in “Microsoft COM for Windows” when it fails to properly handle serialized objects, known as the “Microsoft COM for Windows Remote Code Execution Vulnerability.” This vulnerability affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, and Windows 10 Server. An attacker exploiting this vulnerability could use a specially crafted file or script to perform actions. In an email attack, the attacker could send the file to the user and convince them to open it. In a web-based attack, the attacker could host a website containing the file and persuade the user to open it by clicking a link.
CVE-2018-0824 and Threat Actors
The primary threat actor known to exploit this vulnerability is APT41, a cyber group that, according to the U.S. government, consists of Chinese nationals. In August 2023, experts detected abnormal PowerShell commands connecting to an IP address to download and execute PowerShell scripts within a Taiwanese government-affiliated research institute’s environment. This attack, conducted by APT41, involved the use of a unique Cobalt Strike loader written in GoLang to evade detection. The attackers behind the operation were proficient in simplified Chinese, indicating their likely origin.
Although it might seem that APT41 poses a minimal risk to the average user, that’s not entirely accurate. Another threat actor, targeting all Windows users, is highlighted in other reports. SnakeKeylogger aka KrakenKeylogger is a new malicious software aimed at Windows users, and not mandatory ones from within a corporate network. This malware logs keystrokes, steals credentials, and takes screenshots to gather sensitive information, which is then sent to fraudsters. This malware typically spreads through phishing campaigns, where malicious code is hidden in email attachments.
Avaliable Solutions
Although a patch for CVE-2018-0824 has been available for a long time, attackers continue to exploit it. On the other hand, SnakeKeylogger remains a significant threat to users. So, here are several solutions to address these issues:
Upgrade to Windows 11. One radical solution for Windows 10 users is to upgrade to Windows 11. However, there is a significant problem: many users are reluctant to switch to Windows 11. The primary reason is that Windows 11 has higher system requirements, and not all users can upgrade their hardware to support the new system. Many users remain on Windows 10 despite security warnings due to resource limitations and the unwillingness to spend money on new equipment.
Use Advanced System Protection. There is also a workaround solution — blocking attacks with the advanced system protection. GridinSoft Anti-Malware is the one you can rely on in this question. This program will prevent any malware from getting into the system, even before they can do any harm. While using an outdated version of Windows is not the best solution, employing an advanced anti-malware program can significantly reduce risks.