Microsoft patches a zero-day exploited actively by APT FruityArmor

Apt Fruityarmor Middleeast Microsoft Zeroday Patch Cybersecurity Cyberattacks Cyberespionage Cyberwarfare Infosec Kaspersky Securityaffairs Password Cybercrime Infosec

Microsoft patches a zero-day bug exploited actively by APT FruityArmor. The company: An attacker could run arbitrary code in kernel mode, and then install programs; view, change or delete data; or create new accounts with full user rights

Microsoft has patched a zero-day bug, ctively being exploited in the wild. It’s has been confirmed in its Patch Tuesday security bulletin. It could allow a cyber aggressor to run arbitrary code in kernel mode on targeted systems. Then, he could “install programs; view, change or delete data; or create new accounts with full user rights,” Microsoft wrote. According to the cyber security researchers, behind the attacks there is APT FruityArmor, a state-sponsored hackers gang based in Middle East. The group, as Security Affairs reported, has been spotted by Kaspersky experts in 2016. It uses zero-day vulnerabilities to target activists, researchers, and individuals related to government organizations. The victims in that occasion were located in different countries, including Iran, Algeria, Thailand, Yemen, Saudi Arabia and Sweden. The sign of the APT is an attack platform, built around the Microsoft PowerShell framework, that exploits zero-day vulnerabilites.

It’s the Third zero-day developed by the Middle East based group since 2016. But this time il less powerful than the past ones

FruityArmor was first seen utilizing a zero-day vulnerability in the Windows Graphics Device Interface (aka GDI or GDI+) component in October 2016, and then a second one in the Adobe Flash Player in June 2018. The last one, the one just patched by Microsoft, affects the Windows Win32k component. But oddly, this third zero-day is less powerful than the first two. So, the cyber aggressors have to infect the systems through other means before using their latest exploit, to allow them to elevate their privileges from guest user to administrator and run code in kernel mode. This could mean that the state-sponsored hacker are testing new tools. Or that there are other malware in the wild, which not have yet been discovered by the cyber security experts.

The Microsoft bulletin

The Kaspersky press release on the cyber attacks in 2016

The Security Affairs news on the event