The US Cybersecurity and Infrastructure Security Agency (CISA) has recently added a Microsoft vulnerability from 2018 to its Known Exploited Vulnerabilities (KEV) catalogue. This decision was made after evidence showed that the China-backed APT41 group is using this vulnerability in their attack chain.
The vulnerability, known as CVE-2018-0824, was initially addressed by Microsoft in a Patch Tuesday update in May 2018. It is a flaw in Microsoft COM for Windows that allows for remote code execution due to a mishandling of serialized objects. To exploit this vulnerability, an attacker needs to persuade a vulnerable end-user to open a specifically crafted file or script, which can be achieved through phishing attacks or compromised websites.
Although Microsoft stated back in 2018 that the vulnerability was not publicly disclosed or known to be exploited, Cisco Talos revealed evidence on August 1, 2024, showing that APT41 used CVE-2018-0824 in a malicious campaign targeting a research institute in Taiwan. This campaign, which began in mid-2023, involved the deployment of ShadowPad malware, Cobalt Strike, and custom tools for post-compromise activities.
In their investigation, the Talos team found that APT41 developed a custom loader to inject a malware called UnmarshalPwn, exploiting CVE-2018-0824 directly into memory and escalating privileges within the victim’s systems. The team suspects that APT41 may have used similar attack chains in other campaigns as well.
CISA’s KEV catalogue is primarily used to ensure timely patching within US federal agencies, with a deadline of August 26, 2024, for addressing this particular vulnerability. This inclusion in the catalogue serves as a warning to all organizations to take action promptly. For more information on the attack chain and tools used by APT41, refer to Cisco Talos’s analysis.