steven36 Posted July 13, 2019 Share Posted July 13, 2019 The CVE-2019-1132 flaw addressed by Microsoft this month was exploited by Buhtrap threat actor to target a government organization in Eastern Europe. Microsoft Patch Tuesday updates for July 2019 address a total of 77 vulnerabilities, including two privilege escalation flaws actively exploited in the wild. The first vulnerability, tracked as CVE-2019-1132, affects the Win32k component and could be exploited to run arbitrary code in kernel mode. The second one, tracked as CVE-2019.0880, affects Windows 7 and Server 2008. The issue resides in the way splwow64 (Thunking Spooler APIs) handles certain calls. According to experts at ESET, the Windows zero-day flaw CVE-2019-1132 was exploited by the Buhtrap threat actor in a targeted attack aimed at a government organization in Eastern Europe. Experts pointed out that this was the first time Buhtrap had used a zero-day flaw in its operations. Since August of 2015, the Buhtrap group has conducted 13 successful attacks against financial institutions stealing more than ₽1.86 billion RUB ($27.4M USD). In April 2015, ESET discovered a malware campaign dubbed Operation Buhtrap, a conjunction of the Russian word for accountant “Buhgalter” and the English word “trap”. So far Buhtrap has not been seen anywhere else in the wild, 88 percent of targets have been in Russia and ten percent in Ukraine. Analysts have also likened the campaign to the Anunak/Carbanak campaign, which also targeted Russian and Ukrainian Banks. Back to nowadays, ESET reported the attacks exploiting the CVE-2019-1132 to Microsoft. Buhtrap threat actor developed an exploit that relies on popup menu objects, a technique that was observed in other attacks over the years. “but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign. In that case, we observed Buhtrap using a local privilege escalation exploit, CVE-2019-1132, against one of its victims.” reads the analysis published by ESET. “The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the Microsoft Security Response Center, who promptly fixed the vulnerability and released a patch.“ ESET researchers discovered that the flaw was exploited in an attack aimed at a government institution in Eastern Europe in June. Buhtrap threat actors exploited the flaw to execute malicious code with the highest privileges on the target systems. Attackers used a weaponized document to deliver a backdoor that also implements info-stealing capabilities through a module called “grabber.” “The first module, called “grabber” by its author, is a standalone password stealer. It tries to harvest passwords from mail clients, browsers, etc., and sends them to a C&C server.” continues the report. “The second module is something that we have come to expect from Buhtrap operators: an NSIS installer containing a legitimate application that will be abused to side load the Buhtrap main backdoor. The legitimate application that is abused in this case is AVZ, a free anti-virus scanner.” The group apparently shifted targets, but the real reason it is still unclear. “While we do not know why this group has suddenly shifted targets, it is a good example of the more and more blurry lines separating pure espionage groups from the ones mostly doing crimeware.” concludes the analysis. “In this case, it is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward,” The vulnerability affects the following Windows versions: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Conclusion The exploit only works against older versions of Windows, because since Windows 8 a user process is not allowed to map the NULL page. Microsoft back-ported this mitigation to Windows 7 for x64-based systems. People who still use Windows 7 for 32-bit systems Service Pack 1 should consider updating to newer operating systems, since extended support of Windows 7 Service Pack 1 ends on January 14th, 2020. Which means that Windows 7 users won’t receive critical security updates. Thus, vulnerabilities like this one will stay unpatched forever. More At [welivesecurity] Source Link to comment Share on other sites More sharing options...
mp68terr Posted July 14, 2019 Share Posted July 14, 2019 5 hours ago, steven36 said: Which means that Windows 7 users won’t receive critical security updates Msoft has published patches about critical security flaws for 'old' os before. Win7 end of support is mid Jan 2020; how does the author know that it won't happen? Link to comment Share on other sites More sharing options...
steven36 Posted July 14, 2019 Author Share Posted July 14, 2019 23 minutes ago, mp68terr said: Msoft has published patches about critical security flaws for 'old' os before. Win7 end of support is mid Jan 2020; how does the author know that it won't happen? Why are you asking me? I don't use Windows 7 since 2013 and i don't care if you get infected because your to dumb to use a OS that gets updates still it's not my problem i use Linux and have Windows 8.1 . its that's not what the author said no way , that what ESET said there the security experts go ask them.Besides they a million vulnerabilities in Windows XP and Microsoft only patch 2 since 2014 unless you used the POSReady hack because they were worms this is not a virus its malware so you would not be protected against it. That's' how they done wiped out most Windows virus is patching them and the the reason they patched those two because its a virus and it spreads .But malware is a whole other thing they never even came close to stopping it yet. Prevention not catching it is the only real cure. Link to comment Share on other sites More sharing options...
mp68terr Posted July 14, 2019 Share Posted July 14, 2019 @steven36, Not asking you Using linux too. What I meant is that the original author does not know what msoft will do. The patch might never come, or it might come before Jan 2020 if it's a critical flaw. If the author does not know, better not to say As a side note, eset also links to a msoft page with patches, including win7_32. Link to comment Share on other sites More sharing options...
steven36 Posted July 14, 2019 Author Share Posted July 14, 2019 31 minutes ago, mp68terr said: @steven36, Not asking you Using linux too. What I meant is that the original author does not know what msoft will do. The patch might never come, or it might come before Jan 2020 if it's a critical flaw. If the author does not know, better not to say As a side note, eset also links to a msoft page with patches, including win7_32. See what a virus does you can pack it with some nasty malware and if you have network with 2000 pcs all 2000 pcs you have will get infected with it. Microsoft will patch it most likely. But Malware cant do this alone its not a virus so Microsoft really don't care if it gets you, so you going have to pray your antivirus catch it NOD32 old versions will keep working on Windows 7 for some years but they will drop new versions of there software as soon as EOL for Windows 7 on home versions .So you want have the most advanced security tech any more . There is no future in the past in 4 years Windows 7 will be were XP is now no 3rd party software soupprt . All them people held on to XP it didn't do them a bit of good it only has 3 % marketshare Some only use Android now if you used XP all them years you don't need much , the rest on diffrent desktop OS .Win 7 ,10 ,Linux. Mobile been wiping desktop for 3 years now but PCs are selling again only because Windows 7 is running out of time its just users that already on them buying them. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.