BaseStriker Zero-Day Exploited in the Wild

Delaware, USA ā€“ May 10, 2018 ā€“ New zero-day vulnerability in Office 365 allows adversaries to bypass Microsoft’s security, including advanced security services. Researchers from Avanan published a report in which they described BaseStriker zero-day and noted that they detected its use in phishing attacks. BaseStriker vulnerability also can be used to distribute various malware. Adversaries split a malicious link into two snippets, security scanners check each snippet separately and see nothing suspicious. User receives malicious link in the email and can click it to go to attacker’s site or to download malware. Thus, attackers can make the already known infrastructure invisible to security solutions. The researchers reported the vulnerability to Microsoft and Proofpoint, but it is not yet known when it will be fixed.

This Tuesday, Microsoft patched two zero-day vulnerabilities, including the DoubleKill vulnerability in Internet Explorer. The second vulnerability CVE-2018-8120 affects Windows Server 2008/2008 R2 and Windows 7 allowing attackers to run arbitrary code. Both vulnerabilities are actively used by adversaries, therefore it is necessary to install updates as soon as possible.

We hope that Microsoft will close the BaseStriker vulnerability in a few days, and for now, it is necessary to make sure that users enabled two-factor authentication in their Office 365 accounts. Since attackers quickly weaponize the published vulnerabilities, it would be great to strengthen security and keep an eye on any suspicious activity. Windows Security Monitor and APT Framework will help your SIEM uncover malicious events that require investigation.