Microsoft patches 'dangerous' zero-day already being exploited by hacking groups

guest · Dec 12, 2018

Microsoft patches 'dangerous' zero-day already being exploited by hacking groups
December 12, 2018
https://www.theinquirer.net/inquirer/news/3068124/microsoft-patch-tuesday-december-2018

This vulnerability in kernel image ntoskrnl.exe was reported to Microsoft on 29 October by security vendor Kasperky Lab. Listed as CVE-2018-8611 and classified as 'important', it is a local privilege escalation bug. Kaspersky Lab researchers say it has already been exploited by hacking groups FruityArmor and SandCat.

"CVE-2018-8611 is an especially dangerous threat - a vulnerability in the Kernel Transaction Manager driver. It can also be used to escape the sandbox in modern web browsers, including Chrome and Edge, since syscall filtering mitigations do not apply to ntoskrnl.exe system calls," the company says.

"Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers."
Click to expand...

Rasheed187 · Dec 15, 2018

Wow, this sounds like a quite severe bug, it can even bypass browser sandboxes from Chrome and Edge.

wat0114 · Dec 15, 2018

From this MS CVE:

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.
Click to expand...

Rasheed187 · Dec 22, 2018

I think what they mean is that you first need to get code execution on the exploited system, but you can also do this via remote exploit. So let's say you exploit some "code execution" bug in Chrome, you can combine it with this one to break out of the sandbox.

guest · Mar 13, 2019

Windows Zero-Day Exploited by FruityArmor, SandCat Threat Groups
March 13, 2019
https://www.securityweek.com/windows-zero-day-exploited-fruityarmor-sandcat-threat-groups

Microsoft’s latest Patch Tuesday updates address two Windows zero-day flaws that allow attackers to elevate privileges. One of them, CVE-2019-0808, was reported to Microsoft by Google’s Threat Analysis Group, which has seen it being exploited in targeted attacks alongside a Chrome zero-day.
The second zero-day, tracked as CVE-2019-0797, was reported to Microsoft by Kaspersky Lab, which believes the vulnerability has been exploited by several threat actors, including FruityArmor and SandCat.

Anton Ivanov, security researcher at Kaspersky Lab, told SecurityWeek that the company does not have any information about the targets of the attacks involving the latest Windows zero-day, CVE-2019-0797.
Kaspersky said it informed Microsoft of this security hole, which it described as a race condition in the Win32k driver, on February 22.

It’s worth noting that CVE-2019-0797 is the fourth actively exploited Windows flaw discovered in recent months by Kaspersky.
Click to expand...

Kaspersky: The fourth horseman: CVE-2019-0797 vulnerability

guest · Mar 15, 2019

Experts published details of the actively exploited CVE-2019-0808 Windows Flaw
March 15, 2019
https://securityaffairs.co/wordpress/82428/hacking/cve-2019-0808-win-flaw.html

Microsoft addressed the flaw with the release of the Patch Tuesday security updates for March 2019.
The CVE-2019-0808 vulnerability affects the windows Win32k component and could be exploited by an authenticated attacker to elevate privileges and execute arbitrary code in kernel mode. An attacker can chain the flaw with a web browser vulnerability to escape sandboxes.

Now the researchers at Qihoo 360 shed the light on the flaw and the way to exploit it, they described the root cause with the following statement: [...]
The experts explained how to trigger the flaw and provided details on how Microsoft has fixed the problem.

The researchers also developed a PoC exploit that have only partially disclosed. Anyway, the analysis published by the researchers includes step-by-step instructions on the main phases of the exploitation process.
Click to expand...

guest · Apr 15, 2019

Windows Flaw Exploited to Deliver PowerShell Backdoor
April 15, 2019
https://www.securityweek.com/windows-flaw-exploited-deliver-powershell-backdoor

The flaw, tracked as CVE-2019-0859, was fixed by Microsoft with its April 2019 Patch Tuesday updates. According to the company, the issue exists due to the way the Win32k component in Windows handles objects in memory. The weakness allows an authenticated attacker to execute arbitrary code in kernel mode.

“The exploit we found in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10) and exploited the vulnerability using the well-known HMValidateHandle technique to bypass ASLR,” the researchers said in a blog post.

Kaspersky experts have pointed out that the use of PowerShell to create a backdoor makes the attack stealthier and increases its chances of evading detection. Another benefit of using PowerShell is that it saves the attackers time as they have to write less code.
This was the fifth Windows zero-day identified by Kaspersky in recent months. The company has not shared any information about the threat actor exploiting CVE-2019-0859.
Click to expand...

Kaspersky: New zero-day vulnerability CVE-2019-0859 in win32k.sys

guest · Oct 12, 2021

Microsoft Fixes Zero-Day Flaw in Win32 Driver
A previously known threat actor is using the flaw in a broad cyber-espionage campaign, security vendor warns.
October 13, 2021
https://www.darkreading.com/vulnera...e-includes-fix-for-0-day-flaw-in-win32-driver

CVE-2021-40449, the flaw being exploited in the wild, is a so-called use-after-free vulnerability in the Win32k kernel driver that gives threat actors a way to escalate privileges on a compromised Windows machine. The flaw is not remotely exploitable. Kaspersky discovered the zero-day threat when investigating attacks on multiple Windows Servers between late August and early September 2021.

The security vendor's analysis of the malware used in the attacks showed that it was being used in a broad cyber-espionage campaign against organizations across several sectors.
Click to expand...

Kaspersky is tracking the campaign as "MysterySnail" and has attributed it to a threat actor known as IronHusky and Chinese-speaking advanced persistent threat activity dating back to 2012.

Boris Larin, security researcher at Kaspersky, describes the flaw as easily exploitable and allowing attackers a way to gain full control of a vulnerable system after gaining an initial foothold. "After successful exploitation attackers can do basically whatever they want — steal authentication credentials, attack other machines and services within a network and achieve persistence," Larin says.

"[The] vulnerability is in the Win32k kernel driver, which is an essential component of the OS. So, unfortunately, there are no workarounds for that flaw," he says.
Click to expand...

Kaspersky: MysterySnail attacks with Windows zero-day

Besides finding the zero-day in the wild, we analyzed the malware payload used along with the zero-day exploit, and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities.

We are calling this cluster of activity MysterySnail. Code similarity and re-use of C2 infrastructure we discovered allowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity dating back to 2012.
Click to expand...

Log in or Sign up

Microsoft patches 'dangerous' zero-day already being exploited by hacking groups

guest Guest

Rasheed187 Registered Member

wat0114 Registered Member

Rasheed187 Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Microsoft patches 'dangerous' zero-day already being exploited by hacking groups

guest Guest

Rasheed187 Registered Member

wat0114 Registered Member

Rasheed187 Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches