Microsoft Windows vulnerability allowed attackers to deploy a backdoor on a targeted device

Woburn, MA – April 15, 2019 — — Kaspersky Lab has released a report on its detection of a previously unknown vulnerability in Microsoft Windows, which was discovered being exploited by an unidentified criminal group attempting to gain full control over a targeted device. The attack was aimed at the core of the system – its kernel – through a backdoor constructed from an essential element of Windows OS.

Backdoors are an extremely dangerous type of malware, as they allow threat actors to discreetly control infected machines for malicious purposes. A backdoor that exploits a zero-day vulnerability may evade standard security solutions, as they cannot recognize a system infection from an unknown threat. In this case, Kaspersky Lab’s Exploit Prevention technology was able to detect the attempt to exploit the unknown vulnerability in Microsoft Windows OS.

The attack scenario discovered was the following: once the malicious .exe file was launched, the installation of the malware was initiated. The infection exploited a zero-day vulnerability and achieved privileges for successful persistence on the victim’s machine. The malware then initiated the launch of a backdoor developed with a legitimate element of Windows, present on all machines running on this OS – a scripting framework called Windows PowerShell. This allowed threat actors to be stealthy and avoid detection, saving them time in writing the code for malicious tools. The malware then downloaded another backdoor from a popular legitimate text storage service, which in turn gave criminals full control over the infected system.

“In this attack, we observed two main trends that we often see in Advanced Persistent Threats,” said Anton Ivanov, security expert at Kaspersky Lab. “First, the use of local privilege escalation exploits to successfully persist on the victim’s machine. Second, the use of legitimate frameworks like Windows PowerShell for malicious activity on the victim’s machine. This combination gives the threat actors the ability to bypass standard security solutions. To detect such techniques, the security solution must use exploit prevention and behavioral detection engines.”

Kaspersky Lab products detected the exploit as:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic

The vulnerability was reported to Microsoft and patched on April 10.

To prevent the installation of backdoors through a Windows zero-day vulnerability, Kaspersky Lab recommends the following security measures:

  • Install Microsoft’s patch for the new vulnerability as soon as possible. Once the vulnerability is patched and systems have been updated, threat actors lose the opportunity to use it.
  • Make sure that all software in your organization is updated whenever a new security patch is released. Use security products with vulnerability assessment and patch management capabilities to make sure these processes run automatically.
  • Use a proven security solution with behavior-based detection capabilities for protection against unknown threats, such as Kaspersky Endpoint Security.
  • Make sure your security team has access to the most recent cyber threat intelligence. Private reports on the latest developments in the threat landscape are available to customers of Kaspersky Intelligence Reporting. For further details, contact intelreports@kaspersky.com.
  • Finally, ensure your staff is trained in the basics of cybersecurity hygiene.

For further details on the new exploit, see the full report on Securelist — https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/

To take a closer look at the technologies that detected this and other zero-days in Microsoft Windows, a recorded Kaspersky Lab webinar is available to view on demand — https://www.brighttalk.com/webcast/15591/348704

About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 21 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.

Media Contact
Meghan Rimol
meghan.rimol@kaspersky.com
781.503.2671

Source: Kaspersky Lab

 

 

Related posts:

  1. New Kaspersky Endpoint Security for Business Delivers Enhanced Data Protection and Manageability Across All Platforms and Devices
  2. ShadowPad: Attackers Hid Backdoor in Software Used by Hundreds of Large Companies Worldwide
  3. Kaspersky Lab IT Threat Evolution Report: Attacks Leveraging Microsoft Office Exploits Grew Fourfold in Q1 2018
  4. Dropping Elephant: Cyber-espionage Group Hunts High Profile Targets with Low Profile Tools
  5. Era of Exploits: Number of Attacks Using Software Vulnerabilities on the Rise
  6. Remote Access Nightmare: Amount of Malware Found to be Backdoors Increases by 44% in 2018
  7. Kaspersky Lab Reports Malicious Attack Increase in Q1 IT Threat Evolution Report
  8. Kaspersky Lab Number of the Year 2016: 323,000 Pieces of Malware Detected Daily
  9. Mine a Million: Kaspersky Lab Identifies Sophisticated Hacker Group Earning Millions through Mining Malware
  10. Kaspersky Lab Uncovers Skygofree, a Highly Advanced, Powerful Android Surveillance Software

Tags: ,