Microsoft has released a patch to address a vulnerability in the Windows VBScript Engine. DoubleKill, also known as CVE-2018-8174 1, has been actively exploited in the wild by a limited number of threat actors. If successfully exploited, DoubleKill will give the threat actor the same permissions as the compromised user. Proof of concept (PoC) code has been released for this vulnerability, increasing the likelihood of additional threat actors exploiting the vulnerability 2.
What we’re doing about it
- esNETWORK rules have been deployed to detect active exploitation attempts
- The eSentire Threat Intelligence team is actively monitoring the situation for changes.
What you should do about it
- After a business impact review, apply Microsoft patches from the most recent ‘patch Tuesday’ (May 8, 2018)
- Implement the concept of Least-Privilege to limit potential damage
- Ensure employees are aware of ongoing email and web-based threats
DoubleKill affects a wide variety of Windows products that use the VBScript Engine; for a full list, see the Affect Products section of the official Windows release 1.
This vulnerability is caused by a failure in the way the VBScripts engine handles objects in memory. From initial assessments it appears that delivery of this exploit may occur through both phishing attempts and web-based attacks.