Windows zero‑day CVE‑2019‑1132 exploited in targeted attacks

[steven36]

The CVE-2019-1132 flaw addressed by Microsoft this month was exploited by Buhtrap threat actor to target a government organization in Eastern Europe.

 

Microsoft Patch Tuesday updates for July 2019 address a total of 77 vulnerabilities, including two privilege escalation flaws actively exploited in the wild.

 

The first vulnerability, tracked as CVE-2019-1132, affects the Win32k component and could be exploited to run arbitrary code in kernel mode. The second one, tracked as CVE-2019.0880, affects Windows 7 and Server 2008. The issue resides in the way splwow64 (Thunking Spooler APIs) handles certain calls.

 

According to experts at ESET, the Windows zero-day flaw CVE-2019-1132 was exploited by the Buhtrap threat actor in a targeted attack aimed at a government organization in Eastern Europe. Experts pointed out that this was the first time Buhtrap had used a zero-day flaw in its operations.

 

Since August of 2015, the Buhtrap group has conducted 13 successful attacks against financial institutions stealing more than ₽1.86 billion RUB ($27.4M USD). In April 2015, ESET discovered a malware campaign dubbed Operation Buhtrap, a conjunction of the Russian word for accountant “Buhgalter” and the English word “trap”.  So far Buhtrap has not been seen anywhere else in the wild, 88 percent of targets have been in Russia and ten percent in Ukraine.  Analysts have also likened the campaign to the Anunak/Carbanak campaign, which also targeted Russian and Ukrainian Banks.

 

Back to nowadays, ESET reported the attacks exploiting the CVE-2019-1132 to Microsoft. Buhtrap threat actor developed an exploit that relies on popup menu objects, a technique that was observed in other attacks over the years.

 

“but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign. In that case, we observed Buhtrap using a local privilege escalation exploit, CVE-2019-1132, against one of its victims.” reads the analysis published by ESET.

 

“The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the Microsoft Security Response Center, who promptly fixed the vulnerability and released a patch.“

 

ESET researchers discovered that the flaw was exploited in an attack aimed at a government institution in Eastern Europe in June. Buhtrap threat actors exploited the flaw to execute malicious code with the highest privileges on the target systems.

 

Attackers used a weaponized document to deliver a backdoor that also implements info-stealing capabilities through a module called “grabber.”

 

“The first module, called “grabber” by its author, is a standalone password stealer. It tries to harvest passwords from mail clients, browsers, etc., and sends them to a C&C server.” continues the report. “The second module is something that we have come to expect from Buhtrap operators: an NSIS installer containing a legitimate application that will be abused to side load the Buhtrap main backdoor. The legitimate application that is abused in this case is AVZ, a free anti-virus scanner.”

 

 

The group apparently shifted targets, but the real reason it is still unclear.

 

“While we do not know why this group has suddenly shifted targets, it is a good example of the more and more blurry lines separating pure espionage groups from the ones mostly doing crimeware.” concludes the analysis. “In this case, it is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward,”

 

 

The vulnerability affects the following Windows versions:

• Windows 7 for 32-bit Systems Service Pack 1
• Windows 7 for x64-based Systems Service Pack 1
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for Itanium-Based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1

 

Conclusion

The exploit only works against older versions of Windows, because since Windows 8 a user process is not allowed to map the NULL page. Microsoft back-ported this mitigation to Windows 7 for x64-based systems.

 

People who still use Windows 7 for 32-bit systems Service Pack 1 should consider updating to newer operating systems, since extended support of Windows 7 Service Pack 1 ends on January 14^th, 2020. Which means that Windows 7 users won’t receive critical security updates. Thus, vulnerabilities like this one will stay unpatched forever.

 

More At [welivesecurity]

 

Source

 

[mp68terr]

5 hours ago, steven36 said:

Which means that Windows 7 users won’t receive critical security updates

Msoft has published patches about critical security flaws for 'old' os before. Win7 end of support is mid Jan 2020; how does the author know that it won't happen?

[steven36]

23 minutes ago, mp68terr said:

Msoft has published patches about critical security flaws for 'old' os before. Win7 end of support is mid Jan 2020; how does the author know that it won't happen?

Why are you asking me? I don't use Windows 7 since 2013 and i don't care if you get infected because your to dumb to use a OS that gets updates still it's not my problem i use Linux and have Windows 8.1 .   its  that's not what the author said no way , that what  ESET said there the security  experts go ask them.Besides they a million vulnerabilities in Windows XP   and Microsoft only patch 2 since 2014 unless you used the POSReady hack because they were worms this is not  a virus its malware so you would not be protected against it. That's' how  they done  wiped out most Windows virus is patching them and the the reason they patched those two because its  a virus and it spreads   .But malware is a whole other thing  they never even came close to stopping it yet. Prevention not catching it is the only real cure.

[mp68terr]

@steven36,

Not asking you 

Using linux too.

What I meant is that the original author does not know what msoft will do. The patch might never come, or it might come before Jan 2020 if it's a critical flaw. If the author does not know, better not to say 

As a side note, eset also links to a msoft page with patches, including win7_32.

[steven36]

31 minutes ago, mp68terr said:

@steven36,

Not asking you 

Using linux too.

What I meant is that the original author does not know what msoft will do. The patch might never come, or it might come before Jan 2020 if it's a critical flaw. If the author does not know, better not to say 

As a side note, eset also links to a msoft page with patches, including win7_32.

See what a virus does you can pack it with some nasty malware and if you have network  with 2000 pcs  all 2000 pcs you have  will  get infected  with it. Microsoft will patch it most likely. But Malware cant do this alone its not a virus so Microsoft really don't care if it gets  you, so you going have to pray your antivirus catch it NOD32  old versions will keep working on Windows 7 for some years but they will drop new versions of there software as soon as EOL  for Windows 7 on home versions  .So you want have the most advanced security tech any more .

 

There is no future in the past  in 4 years Windows 7 will be were XP  is now no 3rd  party software soupprt . All them people  held on to XP  it didn't do them a bit of good  it only has 3 % marketshare  Some only use Android  now  if you used XP all them years you don't need much , the rest on diffrent  desktop OS .Win 7 ,10 ,Linux. Mobile been wiping desktop for 3 years now but PCs are selling again only because Windows 7 is running out of time its just users that already on them buying them.