Kaspersky Lab uncovers Windows zero-day exploited by recently discovered threat actor

13 March 2019
Kaspersky Lab’s automated technologies have detected a new exploited vulnerability in Microsoft Windows, believed to have been used in targeted attacks by at least two threat actors, including the recently discovered SandCat. This is the fourth zero-day exploit to be discovered in the wild by Kaspersky Lab’s Automatic Exploit Prevention technology. Kaspersky Lab reported the vulnerability, allocated CVE-2019-0797 to Microsoft, which has released a patch.

Zero-day vulnerabilities are previously unknown software bugs that can be exploited by attackers to breach a victim’s device and network. The new exploit uses a vulnerability in Microsoft Windows’ graphic subsystem to achieve local privilege escalation. This provides the attacker with full control over a victim’s computer. The malware sample examined by Kaspersky Lab researchers shows that the exploit targets OS versions Windows 8 to Windows 10.

The researchers believe the detected exploit could have be used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. FruityArmor is known to have used zero-days in the past, while SandCat is a new threat actor discovered only recently.

“The discovery of a new Windows zero-day being actively exploited in the wild shows that such expensive and rare tools remain of great interest to threat actors, and organizations need security solutions that can protect against such unknown threats. It also reaffirms the importance of collaboration between the security industry and software developers: bug hunting, responsible disclosure and prompt patching are the best ways of keeping users safe from new and emerging threats,” – said Anton Ivanov, a security expert at Kaspersky Lab.


Kaspersky-Automatic-Exploit-Prevention-AEP

The exploited vulnerability was detected by Kaspersky Lab’s Automatic Exploit Prevention technology, embedded in most of the company’s products.

Kaspersky Lab products detect the exploit as:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
Kaspersky Lab recommends taking the following security measures:

  • Install Microsoft’s patch for the new vulnerability as soon as possible.
  • Make sure you update all software used in your organization on a regular basis, and whenever a new security patch is released. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes.
  • Choose a proven security solution such as Kaspersky Endpoint Security that is equipped with behavior-based detection capabilities for effective protection against known and unknown threats, including exploits.
  • Use advanced security tools like Kaspersky Anti Targeted Attack Platform (KATA) if your company requires highly sophisticated protection.
  • Make sure your security team has access to the most recent cyber threat intelligence. Private reports on the latest developments in the threat landscape are available to customers of Kaspersky Intelligence Reporting.
  • Last, but not least, ensure your staff is trained in the basics of cybersecurity hygiene.
For further details on the new exploit see the report on Securelist.

To take a closer look at the technologies that detected this and other zero-days in Microsoft Windows, a recorded Kaspersky Lab webinar is available to view on demand.