Microsoft patches two zero-days exploited by FruityArmor, SandCat hacking groups
Microsoft has released security updates for two vulnerabilities that researchers say have been exploited by suspected nation-state hacking groups dubbed FruityArmor and SandCat.
The March edition of Microsoft’s Patch Tuesday — when the company introduces fixes for reported security problems — includes 64 updates, 17 of which were rated as “critical.” Attackers already have leveraged at least two of the bugs, CVE-2019-0808 and CVE-2019-0797, according to researchers from Google and Russian security vendor Kaspersky Lab.
Both bugs are known as elevation of privilege vulnerabilities, and could allow outsiders to manipulate Windows machines into authorizing an action that should not be allowed.
“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode,” Microsoft wrote in a security bulletin about the vulnerabilities. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The warning is not just theoretical.
Kaspersky researchers Vasily Berdnikov and Boris Larin said in a blog post Wednesday they believe hacking groups including FruityArmor and SandCat are using the CVE-2019-0797 vulnerability.
FruityArmor, identified as a cyber-espionage group, previously has targeted victims located in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden, SC Magazine has reported. Researchers affiliated with governments and activist groups appeared to fit the victim profile. SandCat is a new threat group that researchers say is most active in the Middle East.
Google made CVE-2019-0808 public last week, revealing it had been used against Windows 7 users. Hackers combined that vulnerability with another issue in Chrome to take control of targeted computers. CVE-2019-0808 was patched in the latest version of Chrome.