After they were patched in yesterday’s round of Patch Tuesday security bulletins, security firms have begun to peel back the layers on two zero-day vulnerabilities that are being used in limited, targeted attacks against Microsoft’s Windows Kernel.
According to FireEye, one of the firms that conducted research on both of the vulnerabilities, the flaws can lead to elevation of privilege if left unpatched. Both vulnerabilities are being used in attacks against some major corporations, the firm says.
Attackers were able to exploit the first hole (CVE-2014-4148) in Windows True Type Font (TTF) by embedding a malicious TTF in a Microsoft Office file. As soon as a victim opens the malicious TTF, the font is processed in kernel mode, and the attacker can call on an embedded DLL that’s really a remote access tool. The kernel-level exploit is sophisticated in the sense that it evades analysis, avoids running the shellcode multiple times and is specially customized for each targeted environment.
“Since TTF exploits target the underlying operating system, the vulnerability can be exploited through multiple attack vectors, including web pages,” Dan Caselden, Matt Graebler and Lindsay Lack, a trio of researchers at FireEye, wrote in the company’s blog yesterday.
The vulnerability targets only 32-bit systems, but technically also impacts 64-bit systems according to the firm.
The second issue (CVE-2014-4113) has apparently existed in some variation or another for a while and relies on a 32-bit exploit that can only be used in tandem with another exploit. Only once an attacker has access to a remote system, running one of the following Windows systems – 7, Vista, Windows 2000, Server 2003/R2, and Server 2008/R2 – could they render it vulnerable to an elevation of privilege attack.
Once they’ve gained access to a remote system attackers can execute code within the context of the Windows Kernel.
Crowdstrike, a California-based security firm, also spotted a campaign utilizing CVE-2014-4113. According to a blog entry Dmitri Alperovitch, the company’s CTO, posted yesterday, over the past few months, it noticed “suspicious activity” on a 64-bit Windows Server 2008 R2 machine.
The result is something the firm has dubbed “Hurricane Panda,” a threat actor that’s apparently emanating from China and using the vulnerability to elevate the privileges to those of the SYSTEM user, according to the firm.
Since February at least, the campaign has targeted infrastructure companies with CVE-2014-4113, along with three other local privilege escalation vulnerabilities to gather intelligence, according to Alperovitch.
Once they’re in, the attackers upload a webshell to carry out the rest of their attack and move laterally.
“The actor will typically attempt to escalate privileges and use a variety of password dumping utilities to obtain legitimate credentials for use in access their intelligence objectives,” the blog entry reads.
As FireEye acknowledged, Crowdstrike confirmed that the bug affects all 64-bit Windows variants “up to and including Windows 7 and Windows Server 2008 R2.”
Both of the issues were patched by Microsoft’s MS14-058 bulletin yesterday, one of three the company pushed that were given a critical severity rating and that if left unpatched could lead to remote code execution.
The bugs took a backseat of sorts to the news that an APT crew nicknamed Sandworm had been using another Windows zero day, CVE-2014-4114, to leverage tainted Powerpoint documents to deliver Black Energy malware. That vulnerability, which had largely been being delivered by spearphishing emails since August, was also patched yesterday by Microsoft.