Last week, a security researcher published details of a Windows zero-day vulnerability on Twitter and included a link to working proof-of-concept (PoC) code on GitHub. Two days later, it was spotted being exploited in the wild.
Two days following the sudden disclosure of a previously unknown vulnerability in Windows operating systems, researchers have already spotted attackers exploiting it in targeted attack campaigns. The vulnerability, which can allow attackers to gain elevated (SYSTEM) privileges, was announced by security researcher SandboxEscaper on Monday, August 27 via a tweet that linked to proof-of-concept (PoC) exploit code on GitHub.
It's a local privilege escalation vulnerability in the Windows Task Scheduler's Advanced Local Procedure Call (ALPC) interface. Exploiting the flaw allows a local unprivileged user to change the permissions of any file on the system and modify it, including system files that are executed by privileged processes. For example, SandboxEscaper's PoC specifically overwrites a printing-related DLL to make it launch notepad.exe, then triggers the Print Spooler service (spoolsv.exe) to load the DLL. As a result, notepad.exe is spawned as SYSTEM.
According to researchers at ESET, an attack group called PowerPool has modified the exploit PoC to gain write access to GoogleUpdate.exe, the legitimate updater for Google applications which is regularly run under admin privileges. By replacing the updater with a malicious executable, the attackers ensure it will be launched with the updater's elevated privileges the next time the updater is called.
The only way for attackers to utilize this exploit is by gaining initial access and code execution on a vulnerable system first. To do that, ESET reports the PowerPool group appears to be launching small-scale malspam campaigns that are being sent to carefully targeted recipients (for now). While there are no details on what the emails look like, the group has been known to use Symbolic Link (.slk) file attachments to distribute their malware in the past.
Initially thought to be confined to Windows 10 and Windows Server 2016 64-bit systems, CERT vulnerability analyst Will Dormann later confirmed all supported Windows versions are vulnerable, including Windows 7, 8, and 10; Windows Server 2008, 2012, and 2016; and 32-bit systems, as well.
UPDATE: Yes. Microsoft has addressed the flaw (now identified as CVE-2018-8440) as part of its September Patch Tuesday updates. Prior to the official patch, the company 0patch had issued a "micropatch" that addresses the issue for Windows 10, Windows 7, Windows 2008, and Windows Server 2016 systems.
One option presented by Karsten Nilsen and James Forshaw is to set access control lists (ACLs) on the C:\Windows\Tasks directory to prevent authenticated users from writing to the directory. Others have tested and confirmed that prevents the exploit code from working without interfering with existing scheduled tasks or the creation of new scheduled tasks. That said, the mitigation hasn't been approved by Microsoft and could potentially have unexpected consequences. In addition, Kevin Beaumont provides guidance on creating rules to detect exploitation of the vulnerability here. Finally, having a strong endpoint security solution in place can prevent attacks from gaining the initial access and code execution they need to use this exploit.
We can confirm Barkly offers protection against the PowerPool attacks by blocking the payload files as well as attempts to abuse .slk files to gain initial access and code execution.
Get the latest security news, tips, and trends straight to your inbox.