Delaware, USA – May 16, 2018 – At the end of March researchers from ESET discovered a malicious PDF document that exploited two zero-day vulnerabilities: CVE-2018-4990 in Adobe Acrobat and Reader, and CVE-2018-8120 in Windows 7 and Windows Server 2008. This exploit chain leads to arbitrary code execution with high privileges on the attacked system. Adobe Reader uses the embedded sandbox, so PDFs are rarely used to deliver malware, but in this case, exploit chain works and pose a critical security threat. CVE-2018-4990 allows arbitrary code execution, but it is not so dangerous without exploiting a vulnerability in the operating system. The exploitation of the CVE-2018-8120 leads to the escalation of privileges and execution of the code with the highest possible privileges. The researchers did not know what final payload adversaries planned to use in the attack since they discovered document at an early stage of the operation. Attempts to exploit these vulnerabilities in real attacks have not yet been detected. It is possible that the release of security updates will encourage attackers to conduct an attack before their targets update vulnerable systems.
Microsoft closed the vulnerability last week in May Patch Tuesday, and Adobe released security update package this Monday, also closing the vulnerability CVE-2018-4985, PoC for which is publicly available. It is recommended to install these updates as soon as possible. Also, you can use APT Framework with your SIEM to detect malicious activity, even if it bypasses other security solutions.