More than 100 North American companies were attacked by crooks exploiting a Windows zero day vulnerability. The attacks began in early March and involved the zero day vulnerability (CVE-2016-0167) reported and partially fixed in April’s Patch Tuesday security bulletins by Microsoft. The zero day was found by researchers at FireEye, who on Tuesday disclosed details.
FireEye said the flaw is a local elevation of privilege flaw in the win32k Windows Graphics subsystem. Attackers are able to exploit the flaw once they are able to remotely execute code on the targeted PC. Microsoft patched the vulnerability on April 12 and released a subsequent update (MS16-062) on Tuesday.
FireEye said attacks leveraging the zero day flaw are targeting point-of-sale payment card systems used by retail, restaurant and hospitality verticals. The multi-stage attacks began, FireEye reports, with tailored spear phishing campaigns that contained variations of Microsoft Word documents embedded with macros that, when enabled, downloaded and executed a malicious downloader that FireEye calls PUNCHBUGGY.
PUNCHBUGGY, FireEye said, is a dynamic-link library (DLL) that is capable of obtaining additional code via an HTTPS connection. “This downloader was used by the threat actor to interact with compromised systems and move laterally across the victim’s network,” according to the authors of the FireEye report.
Next, FireEye said, criminals used tools, including a “previously unknown elevation of privilege (EoP) exploit and a previously unnamed point of sale memory scraping tool” that researchers named PUNCHTRACK malware. PUNCHTRACK is loaded and executed by an obfuscated launcher and is never saved to disk, researchers said.
The attackers are the only group it has observed to use the downloader PUNCHBUGGY in tandem with the POS malware PUNCHTRACK, FireEye said.
“This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of an EoP exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication,” FireEye wrote.
The specific exploit used by the attackers to execute remote code centered on a use-after-free vulnerability (Win32k!xxxMNDestroyHandler). This type of vulnerability refers to an attacker accessing memory after it has been freed. This can cause a program to crash or can result in the execution of arbitrary code. In this case, attackers use the use-after-free vulnerability to download the CVE-2016-0167 exploit and run the subsequent code as SYSTEM.
“The exploit uses SetSysColors() to perform heap Feng Shui which manipulates the layout of the heap by carefully making heap allocations,” FireEye wrote. Simply put, attackers are able to corrupt the system memory, execute code and create trusted user-mode shellcode. “The shellcode then steals the System process token to elevate a child cmd.exe process,” FireEye reports. The attack is designed to scrape both Track 1 and Track 2 payment card data, FireEye said.
The latest Windows updates address CVE-2016-0167, and fully protect systems from exploits targeting CVE-2016-0167. As a precaution, FireEye also recommends users disable Office macros in their settings and for enterprise administrators to enforce a Group Policy to control macro execution for all Office 2016 users.
Security experts say, as more U.S. companies snuff out point of sale malware by deploying chip-and-PIN bankcard technology, attackers are rushing to exploit existing magnetic strip card systems still vulnerable to malware. FireEye, for example, reported last month that that a group of hackers that go by the name Bears Inc. are behind the latest barrage of attacks with a custom-built point of sale malware called Treasurehunt. This latest zero day vulnerability follows the same trend.