Sunday, November 24, 2024
HomeComputer SecurityAPT Hackers Group Exploiting the Window OS Using New Zero day Vulnerability

APT Hackers Group Exploiting the Window OS Using New Zero day Vulnerability

Published on

Cyber criminals started exploiting the Microsoft windows os using recently discovered win32k zero day vulnerability that was patched by Microsoft recently.

A zero-day vulnerability that resides in the win32k.sys allows attackers to exploit 64-bit operating systems in the range from Windows 8 to Windows 10.

This vulnerability ( CVE-2019-0797) was initially discovered by the kaspersky lab researchers who was reported to Microsoft and the fixed patch was released on March 2019 security update.

- Advertisement - SIEM as a Service

A Privilege escalation vulnerability that exists in Windows OS when the Win32k component fails to properly handle objects in memory let allow attackers to run arbitrary code in kernel mode.

This new Exploit is currently used by several ATP threat actors in wide including FruityArmor and SandCat, both are recently active APT groups that specifically targeting the victims using zero day exploits.

According to Costin Raiu, director of global research, Kaspersky Lab, “SandCat is a relatively new APT group; we first observed them in 2018, although it would appear they have been around for some time,” ,

Kaspersky researcher discovered this new windows exploit using 2 different technologies

  1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products;
  2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)

New Zero day vulnerability (CVE-2019-0797)

This vulnerability resides in the win32k driver due to improper synchronization between undocumented two syscalls,

1.NtDCompositionDiscardFrame
2.NtDCompositionDestroyConnection

Kaspersky researchers explained that, “The problem lies in the fact that when the syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection are executed simultaneously, the function DiscardAllCompositionFrames may be executed at a time when the NtDCompositionDiscardFrame syscall is already looking for a frame to release or has already found it. This condition leads to a use-after-free scenario.”

Researcher observed that the attackers made a few attacks by exploiting this zero day vulnerability and all the windows users need to apply the necessary patch to prevent from this attack.

Attackers are using the exploitation process in same way for all the vulnerable OS versions using heap spraying palettes to leak their kernel addresses. 

Besides that, the exploit performs a check on whether it’s running from Google Chrome and stops execution if it is because vulnerability CVE-2019-0797 can’t be exploited within a sandbox. kaspersky said.

All the windows users urged to update your operating system let Microsoft apply the patches for this vulnerability on your windows system.

Also Learn: Certified Advanced Persistent Threat Analyst online course

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.


Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

FortiClient VPN Flaw Enables Undetected Brute-Force Attacks

A design flaw in the logging mechanism of Fortinet's VPN servers has been uncovered,...

macOS WorkflowKit Race Vulnerability Allows Malicious Apps to Intercept Shortcuts

A race condition vulnerability in Apple's WorkflowKit has been identified, allowing malicious applications to...

Trend Micro Deep Security Vulnerable to Command Injection Attacks

Trend Micro has released a critical update addressing a remote code execution (RCE) vulnerability...