Kaspersky Lab uncovers Windows zero-day exploited by recently discovered threat actor

Kaspersky Lab’s automatedtechnologies have detected anew exploited vulnerability in Microsoft Windows, believed to have been used in targeted attacks by at least two threat actors, including the recently discovered SandCat. This is the fourth zero-day exploit to be discovered in the wild by Kaspersky Lab’sAutomatic Exploit Prevention technology. Kaspersky Lab reported the vulnerability, allocated CVE-2019-0797to Microsoft, which has released a patch.

Zero-day vulnerabilities are previously unknownsoftware bugs that can be exploited by attackers to breacha victim’s device and network. The new exploit uses a vulnerability in Microsoft Windows’ graphic subsystem to achieve  local privilege escalation.This provides the attacker with full control over a victim’s computer. The malware sample examined by Kaspersky Lab researchers shows that the exploit targetsOS versionsWindows 8 to Windows 10.

The researchers believe the detected exploit could have be used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. FruityArmor is known to have used zero-days in the past, while SandCat is a new threat actor discovered only recently.

“The discovery of a new Windows zero-day being actively exploited in the wild shows that such expensive and rare tools remain of great interest to threat actors, and organizations need security solutions that can protect against such unknown threats. It also reaffirms the importance of collaboration between the security industry and software developers: bug hunting, responsible disclosure and prompt patching are the best ways of keeping users safe from new and emerging threats,” – said Anton Ivanov, a security expert at Kaspersky Lab.

The exploited vulnerability was detected by Kaspersky Lab’s Automatic Exploit Prevention technology, embedded in most of the company’s products.

Kaspersky Lab products detectthe exploit as:

 

• HEUR:Exploit.Win32.Generic
• HEUR:Trojan.Win32.Generic
• PDM:Exploit.Win32.Generic

 

Kaspersky Lab recommends taking the following security measures:

• Install Microsoft’s patch for the new vulnerability as soon as possible.
• Make sure you updateall software used in your organization on a regular basis, and whenever anew security patch is released. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes.
• Choose a proven security solution such as Kaspersky Endpoint Security that is equipped with behavior-based detection capabilities for effective protection against known and unknown threats, including exploits.
• Use advanced security tools like Kaspersky Anti Targeted Attack Platform (KATA) if your company requires highly sophisticated protection.
• Make sure your security team has access to the most recent cyber threat intelligence.  Private reports on the latest developments in the threat landscape are available to customers of Kaspersky Intelligence Reporting. For further details, contact: intelreports@kaspersky.com.
• Last, but not least, ensure your staff is trained in the basics of cybersecurity hygiene.

For further details on the new exploit see the report on Securelist.

To take a closer look at the technologies that detected this andother zero-days in Microsoft Windows, a recorded Kaspersky Labwebinaris available to view on demand.