Kaspersky Lab’s automated technologies have detected a previously unknown vulnerability in Microsoft Windows. It was exploited by an unidentified criminal group in an attempt to gain full control over a targeted device. The attack was aimed at the core of the system – its kernel – through a backdoor constructed from an essential element of Windows OS.
Backdoors are an extremely dangerous type of malware, as they allow threat actors to control infected machines discreetly for malicious purposes. Such escalation of privileges from a third party is usually hard to hide from security solutions. However, a backdoor that exploits a previously unknown bug in the system – a zero-day vulnerability – has significantly more chances to fly under the radar. Ordinary security solutions can’t recognise the system infection, nor can they protect users from the yet-to-be-recognised threat.
Kaspersky Lab’s Exploit Prevention technology was, though, able to detect the attempt to exploit the unknown vulnerability in Microsoft Windows OS. The attack scenario found was the following: once the malicious .exe file was launched, installation of the malware was initiated. The infection exploited a zero-day vulnerability and achieved privileges for successful persistence on the victim’s machine. The malware then initiated the launch of a backdoor developed with a legitimate element of Windows, present on all machines running on this OS – a scripting framework called Windows PowerShell. This allowed threat actors to be stealthy and avoid detection, saving them time in writing the code for malicious tools. The malware then downloaded another backdoor from a popular legitimate text storage service, which in turn gave criminals full control over the infected system.
“In this attack, we observed two main trends that we often see in Advanced Persistent Threats (APTs). First, the use of local privilege escalation exploits to successfully persist on the victim’s machine. Second, the use of legitimate frameworks like Windows PowerShell for malicious activity on the victim’s machine. This combination gives the threat actors the ability to bypass standard security solutions. To detect such techniques, the security solution must use exploit prevention and behavioral detection engines,” explains Anton Ivanov, a security expert at Kaspersky Lab.
Kaspersky Lab products detected the exploit as:
- HEUR:Exploit.Win32.Generic
- HEUR:Trojan.Win32.Generic
- PDM:Exploit.Win32.Generic
The vulnerability was reported to Microsoft and patched on April 10th.
To prevent the installation of backdoors through Windows zero-day vulnerability, Kaspersky Lab recommends taking the following security measures:
- Once the vulnerability is patched and the patch is downloaded, threat actors lose the opportunity to use it. Install Microsoft’s patch for the new vulnerability as soon as possible
- If you are concerned about the safety of your whole organisation, make sure that all software is updated as soon as a new security patch is released. Use security products with vulnerability assessment and patch management capabilities to make sure these processes run automatically
- Use a proven security solution with behavior-based detection capabilities for protection against unknown threats, such as Kaspersky Endpoint Security
- Make sure your security team has access to the most recent cyber threat intelligence. Private reports on the latest developments in the threat landscape are available to customers of Kaspersky Intelligence Reporting. For further details, contact: intelreports@kaspersky.com
- Last, but not least, ensure your staff is trained in the basics of cybersecurity hygiene
For further details on the new exploit see the full report on Securelist.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.