Microsoft Patch Tuesday updates for July 2019 address a total of 77 vulnerabilities, including two privilege escalation flaws actively exploited in the wild.
The first vulnerability, tracked as CVE-2019-1132, affects the Win32k component and could be exploited to run arbitrary code in kernel mode. The second one, tracked as CVE-2019.0880, affects Windows 7 and Server 2008. The issue resides in the way splwow64 (Thunking Spooler APIs) handles certain calls.
According to experts at ESET, the Windows zero-day flaw CVE-2019-1132 was exploited by the Buhtrap threat actor in a targeted attack aimed at a government organization in Eastern Europe. Experts pointed out that this was the first time Buhtrap had used a zero-day flaw in its operations.
Since August of 2015, the Buhtrap group has conducted 13 successful attacks against financial institutions stealing more than ₽1
Back to nowadays, ESET reported the attacks exploiting the CVE-2019-1132 to Microsoft. Buhtrap threat actor developed an exploit that relies on popup menu objects, a technique that was observed in other attacks over the years.
“The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the Microsoft Security Response Center, who promptly fixed the vulnerability and released a patch.“
ESET researchers discovered that the flaw was exploited in an attack aimed at a government institution in Eastern Europe in June.
Attackers used a weaponized document to deliver a backdoor that also implements info-stealing capabilities through a module called “grabber.”
“The first module, called “grabber” by its author, is a standalone password stealer. It tries to harvest passwords from mail clients, browsers, etc., and sends them to a C&C server.” continues the report. “The second module is something that we have come to expect from Buhtrap operators: an NSIS installer containing a legitimate application that will be abused to side load the Buhtrap main backdoor. The legitimate application that is abused in this case is AVZ, a free anti-virus scanner.”
The group apparently shifted targets, but the real reason it is still unclear.
“While we do not know why this group has suddenly shifted targets, it is a good example of the more and more blurry lines separating pure espionage groups from the ones mostly doing
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.