Microsoft Corp. has focused on addressing vulnerabilities being used by suspected state-sponsored hackers as part of its monthly “Patch Tuesday” release, issuing patches for two actively targeted new attacks used to steal data.

In one case, an advanced persistent threat group, which is nearly always used as a term to describe state-sponsored hacking groups, has been targeting a Windows VBScript Engine Remote Code Execution Vulnerability first discovered in April.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft said in a security advisory.

The second vulnerability, a privilege-escalation flaw in the Win32k component of Windows that is also being actively exploited, allows an attacker to run arbitrary code in kernel mod. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explained. 

Exactly which APTs are targeting the vulnerabilities is not clear, although at least one of the attacks was first detected by Chinese antivirus maker Qihoo 360 Core, suggesting that the attacks may be coming from China as opposed to Russia. The link to China comes a day after ProtectWise Inc. released a report claiming that many previous hacks thought to have come from APT groups, dubbed the “Winnti Umbrella,” were coordinated by “Chinese state intelligence apparatus.”

In total, Microsoft release 67 patches this month addressing vulnerabilities in Microsoft Windows, Internet Explorer, Edge, Office, .Net Framework, Exchange Server and Host Compute Service Shim.

Aside from the two “zero-day” vulnerabilities mentioned above, Chris Goettl, director of product management, security at Ivanti Inc., told SiliconANGLE that both OS and Office should require priority attention this month to plug the worst of the vulnerabilities resolved.

“Exchange server has several vulnerabilities being resolved this month,” he said. “Most are Important or Low, but there is a critical threat that warrants some attention. CVE-2018-8154 is a vulnerability in Microsoft Exchange that could allow an attacker to execute arbitrary code in the context of the system user.”

Photo: Colin/Wikimedia Commons