Kaspersky Lab Nabs Another Windows Zero-Day
Kaspersky Lab this week described more about a zero-day Windows vulnerability (CVE-2019-0859) that its researchers recently discovered, and how PowerShell was used by the exploit.
CVE-2019-0859 was one of two Windows vulnerabilities — the other, CVE-2019-0803, was discovered by Alibaba’s security team — that were described by Microsoft this month as being under active attack. Microsoft addressed both vulnerabilities with its April 10 security patch bundle, and the recommendation is to patch these Windows flaws quickly. Both of the exploits targeted the win32k.sys file process that’s used in various Windows client and server operating systems, from Windows 7 to Windows 10, both 32-bit and 64-bit systems. Both exploits used a win32k.sys memory handling flaw.
According to Microsoft’s description of CVE-2019-0859, a successful exploit would permit an attacker to change or delete data, or “create new accounts with full user rights.” To initiate it, the attacker would need to have the ability to log into a user’s system, though.
Kaspersky Lab Research
The discovery of the CVE-2019-0859 vulnerability was credited by Microsoft to Vasily Berdnikov and Boris Larin of Kaspersky Lab. The researchers, who reported the issue to Microsoft on March 17, 2019, described the technical details of the zero-day exploit in this SecureList post.
So far, the identity of the malware author or authors isn’t known. Kaspersky Lab described the authors as a “still unidentified APT [advanced persistent threat] Group.”
The attack exploits a vulnerability in which it’s possible to add data to memory during a WM-NCCREATE callback process in Windows systems. It lets the attackers execute “PowerShell with a Base64 encoded command,” which is used to download yet another PowerShell script from a Pastebin.com repository.
This PowerShell script is then used to execute a third PowerShell script, the Kaspersky Labs researchers explained. The third PowerShell script unpacks code to execute in memory, which creates an “HTTP reverse shell” that’s used to “gain full control over the victim’s system,” they added.
According to the Kaspersky Lab researchers, CVE-2019-0859 represented “the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered in recent months using our technologies.” It was detected using Kaspersky Lab’s endpoint protection security solution, along with its “Advanced Sandboxing and Anti-Malware engine of the Kaspersky Anti Targeted Attack (KATA) platform.”
PowerShell Commonly Used in Attacks
The use of PowerShell for the attacks isn’t new. Attackers use it mostly because it’s part of Windows systems and doesn’t leave file signatures for malware engines to detect.
Software security solution provider Symantec reported a 661 percent increase in the use of PowerShell in attacks from the second half of 2017 to the second half of 2018. PowerShell is used in so-called “fileless” attacks, where the commands are executed in memory, rather than being stored on disk as executable files, which can be detected by anti-malware solutions.
CVE-2019-0859 used Base64 encoding to obscure the PowerShell commands. That sort of technique was used by just 5.7 percent of exploits, according to Symantec’s 2018 data analysis.
PowerShell does have some restrictions to prevent abuse, but they don’t seem to be deferring attackers, according to this Trend Micro post.
“We have seen several PowerShell script-toting malware employ techniques to bypass PowerShell’s default execution policy, such as running the malicious code as a command line argument,” Trend Micro explained.
Microsoft deprecated PowerShell 2.0 in favor of later versions that have a logging capability for security purposes, but IT pros still need to be able to use those logs to detect attacks. Trend Micro offered a few suggestions for better security. IT pros can check for certain triggers used by malicious PowerShell scripts. They can also deploy behavior monitoring tools and grant the least privilege to end users, while also disabling unneeded software components. PowerShell scripts can be made to execute in a custom sandbox as a sort of initial quarantine. Endpoints for malware (e-mail, malicious links) can be locked down.
Panda Security floated the idea of “disabling PowerShell if it is not necessary to administer systems,” according to this blog post. However, PowerShell is still part of Windows and organizations likely won’t be able to disable it correctly — at least, that was the position of David das Neves, a cloud program manager for Google and a former Microsoft Premier field engineer. He offered that point of view in this 2017 blog post.