Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:21 PM
Connect Directly

Windows 'Double Kill' Attack Code Found in RIG Exploit Kit

Microsoft issued a fix for the remote code execution zero-day vulnerability in May, but research shows businesses have slowed their patching processes post-Meltdown.

Researchers are warning businesses to be prepared for potential widespread attacks using the Double Kill exploit code that was posted online three days ago and has now been discovered incorporated into the RIG Exploit Kit and ThreadKit crimeware packages.

Double Kill is the moniker given by researchers to the recently patched CVE-2018-8174, a critical flaw affecting all versions of Windows. It's the more severe of two flaws that were under active attack when Microsoft issued fixes on Patch Tuesday earlier this month. Double Kill is a Windows VBScript Engine Remote Code Execution Vulnerability, independently discovered both by researchers at Kaspersky Lab and Chinese security firm Qihoo360 Core and reported to Microsoft.

The vulnerability exists in the way the VBScript engine handles objects in memory. If successfully exploited, it could enable attackers to execute code with the same privileges as the current user and reallocate memory, take steps toward gaining arbitrary read/write access, hijack execution flows, and potentially achieve code execution.

Active attacks abusing CVE-2018-8174 started as spear-phishing emails with malicious RTF documents attached. The docs contained an OLE object which, when activated, downloaded and rendered an HTML page through a library that contains the engine behind Internet Explorer. VBScript on the page leverages the exploit to download a payload to the machine.

While attacks in the wild used RTF documents, Microsoft explains that attackers could also dupe a victim into visiting a website designed to exploit the flaw through Internet Explorer, or embed an ActiveX control marked "safe for initialization" in an app or Office document that hosts the IE rendering engine.

Abusing OLE to load an IE exploit in Word in a new technique, explain researchers at Barkly. They fear attacks abusing this flaw are poised to increase, especially because it works whether or not the target machine runs IE as the default browser.

CVE-2018-8174 isn't the only Windows vulnerability being used in the wild. Microsoft also confirmed attackers were also actively exploiting CVE-2018-8120, a privilege escalation vulnerability that could allow attackers to gain control over a system, view or edit data, or create new accounts with full user rights.

Microsoft did not provide more info on how widely spread CVE-2018-8120 attacks have been in the wild. The working PoC exploit code is also available on GitHub; Barkly experts say "it's only a matter of time before more attacks take advantage of this vulnerability."

RIG, ThreadKit, and Potential for Abuse

On May 24, 2018, shortly after the PoC exploit code for CVE-2018-8174 was posted online, an attacker going by the name "TakeThat" was seen taking responsibility for implementing the flaw into the RIG Exploit Kit (RIG EK). TakeThat claimed the infection rate had increased.

RIG EK is among the most popular exploit kits to distribute malicious payloads. It's packed with a variety of threats, from ransomware and credential theft to Java and Flash exploits, explains Barkly CTO Jack Danahy. Cybercriminals taking advantage of the crypto craze have also recently leveraged RIG EK to distribute coin miner malware and collect digital currencies like Monero and Electroneum.

"The big value from the exploit kit is when people land on the system, it's likely there will be one exploit among many that will be useful to corrupt and infect the machine," he explains.

With the Double Kill exploit code being built into RIG EK, Danahy says it's more likely organizations that haven't patched CVE-2018-8174 will be vulnerable to exploits and whatever payloads attackers decide to deliver.

Its code has also been seen in ThreadKit, an exploit builder that can be used to create weaponized Office docs. It's accessible to cybercriminals with little technical expertise and the Double Kill exploit option can be purchased for $400 online. An exploit kit lures victims to a malicious site and infects them through the browser; this one lets attackers create weaponized documents that can be distributed however they want.

"It's a different kind of vector through which you can exercise the same functionality," says Danahy.

Patching Problems

Given the nature of this vulnerability, companies will want to ensure they have advanced protection. However, Barkly research discovered many have slowed down their patching processes after patches following Meltdown and Spectre caused problems earlier this year.

Research shows 80% of companies polled found the Meltdown and Spectre patching process to be unclear and 88% showed frustration with the process. Now, businesses are just as concerned about faulty updates as they are about Spectre. Two-thirds of respondents were worried about the lack of stable firmware updates leaving their company vulnerable to Spectre. However, they were just as concerned future patched would harm performance or stability.

Most IT pros (56%) said they had purposefully held back on applying updates and, in the future, will only do so after testing for compatibility and performance problems. Nearly one-quarter (23%) say they may not apply patches at all for fear of performance problems, and 75% say they are more likely to roll out patches more slowly in the future.

"If people are scared of patching Microsoft systems because of Spectre and Meltdown, they should realize how serious and pressing these attacks are," says Danahy, who advises organizations to rethink the slower approach to patching.

"The speed with which organizations are updating their systems means there's readily exploited vulnerabilities," he adds. "There's likely to be a lot of systems remaining vulnerable for a while."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.