Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Kaspersky Lab uncovers critical vulnerability in Windows OS exploited by an unknown criminal group

April 2019 by Kaspersky

Kaspersky Lab’s automated technologies have detected a previously unknown
vulnerability in Microsoft Windows. It was exploited by an unidentified criminal
group in an attempt to gain full control over a targeted device. The attack was
aimed at the core of the system – its kernel – through a backdoor constructed from
an essential element of Windows OS.

Backdoors are an extremely dangerous type of malware, as they allow threat actors to
control infected machines discreetly for malicious purposes. Such escalation of
privileges from a third party is usually hard to hide from security solutions.
However, a backdoor that exploits a previously unknown bug in the system – a
zero-day vulnerability – has significantly more chances to fly under the radar.
Ordinary security solutions can’t recognize the system infection nor can they
protect users from the yet-to-be-recognized threat.
Kaspersky Lab’s Exploit Prevention technology was, though, able to detect the
attempt to exploit the unknown vulnerability in Microsoft Windows OS. The attack
scenario found was the following: once the malicious .exe file was launched,
installation of the malware was initiated. The infection exploited a zero-day
vulnerability and achieved privileges for successful persistence on the victim’s
machine. The malware then initiated the launch of a backdoor developed with a
legitimate element of Windows, present on all machines running on this OS – a
scripting framework called Windows PowerShell. This allowed threat actors to be
stealthy and avoid detection, saving them time in writing the code for malicious
tools. The malware then downloaded another backdoor from a popular legitimate text
storage service, which in turn gave criminals full control over the infected system.

“In this attack, we observed two main trends that we often see in Advanced
Persistent Threats (APTs). First, the use of local privilege escalation exploits to
successfully persist on the victim’s machine. Second, the use of legitimate
frameworks like Windows PowerShell for malicious activity on the victim’s machine.
This combination gives the threat actors the ability to bypass standard security
solutions. To detect such techniques, the security solution must use exploit
prevention and behavioral detection engines,” explains Anton Ivanov, a security
expert at Kaspersky Lab.
Kaspersky Lab products detected the exploit as:

* HEUR:Exploit.Win32.Generic
* HEUR:Trojan.Win32.Generic
* PDM:Exploit.Win32.Generic

The vulnerability was reported to Microsoft and
patched<https://portal.msrc.microsoft.com/e...>
on April 10th.
To prevent the installation of backdoors through Windows zero-day vulnerability,
Kaspersky Lab recommends taking the following security measures:

* Once the vulnerability is patched and the patch is downloaded, threat actors
lose the opportunity to use it. Install Microsoft’s
patch<https://portal.msrc.microsoft.com/e...>
for the new vulnerability as soon as possible

* If you are concerned about the safety of your whole organization, make sure
that all software is updated as soon as a new security patch is released. Use
security products with vulnerability assessment and patch management capabilities
to make sure these processes run automatically

* Use a proven security solution with behavior-based detection capabilities for
protection against unknown threats, such as Kaspersky Endpoint
Security<https://www.kaspersky.com/small-to-...>

* Make sure your security team has access to the most recent cyber threat
intelligence. Private reports on the latest developments in the threat landscape
are available to customers of Kaspersky Intelligence
Reporting. For further details,
contact: intelreports@kaspersky.com

* Last, but not least, ensure your staff is trained in the basics of
cybersecurity hygiene
To take a closer look at the technologies that detected this and other zero-days in
Microsoft Windows, a recorded Kaspersky Lab
webinar<https://www.brighttalk.com/webcast/...> is available to view on
demand.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts