Understanding the Vulnerability
At the heart of this issue is a deserialization of untrusted data vulnerability. This occurs when an application improperly deserializes data from an untrusted source without adequate validation. Deserialization is a critical process that converts data from a serialized format—such as JSON or XML—back into an object or data structure within memory.
According to the advisory released by Microsoft, “A remote code execution vulnerability exists in Microsoft COM for Windows when it fails to properly handle serialized objects.” This means that an attacker could exploit this vulnerability using a specially crafted file or script to execute unauthorized actions. In scenarios involving email attacks, the attacker might send a malicious file to the user, persuading them to open it. Alternatively, in web-based attacks, the threat could manifest through a compromised website that hosts user-provided content designed to exploit this vulnerability.
Exploitation Tactics
To trigger the vulnerability, an attacker could deceive the victim into clicking a link that leads to a malicious website, subsequently convincing them to open the crafted file. This week, researchers from Cisco Talos reported that a group linked to China successfully compromised a Taiwanese government-affiliated research institute. This attack has been attributed with medium confidence to the APT41 group.
The campaign, which began as early as July 2023, involved the deployment of ShadowPad malware, Cobalt Strike, and various post-exploitation tools. Notably, Talos discovered that APT41 created a custom loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing the remote code execution vulnerability to escalate local privileges.
Mitigation and Compliance
In accordance with Binding Operational Directive (BOD) 22-01, which aims to mitigate the significant risks posed by known exploited vulnerabilities, federal agencies are mandated to address identified vulnerabilities by the specified due date to safeguard their networks. Experts also advise private organizations to review the KEV catalog and remediate any vulnerabilities present in their infrastructure.
CISA has set a deadline for federal agencies to rectify this vulnerability by August 26, 2024, emphasizing the urgency of addressing this critical security concern.