Microsoft Patch Tuesday updates for July 2019 address a total of 77 vulnerabilities, including two privilege escalation flaws actively exploited in the wild.
The first vulnerability, tracked as CVE-2019-1132, affects the Win32k component and could be exploited to run arbitrary code in kernel mode. The second one, tracked as CVE-2019.0880, affects Windows 7 and Server 2008. The issue resides in the way splwow64 (Thunking Spooler APIs) handles certain calls.
According to experts at ESET, the Windows zero-day flaw CVE-2019-1132 was exploited by the Buhtrap threat actor in a targeted attack aimed at a government organization in Eastern Europe. Experts pointed out that this was the first time Buhtrap had used a zero-day flaw in its operations.
Since August of 2015, the Buhtrap group has conducted 13 successful attacks against financial institutions stealing more than ₽1
Back to nowadays, ESET reported the attacks exploiting the CVE-2019-1132 to Microsoft. Buhtrap threat actor developed an exploit that relies on popup menu objects, a technique that was observed in other attacks over the years.
“The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the Microsoft Security Response Center, who promptly fixed the vulnerability and released a patch.“
ESET researchers discovered that the flaw was exploited in an attack aimed at a government institution in Eastern Europe in June.
Attackers used a weaponized document to deliver a backdoor that also implements info-stealing capabilities through a module called “grabber.”
“The first module, called “grabber” by its author, is a standalone password stealer. It tries to harvest passwords from mail clients, browsers, etc., and sends them to a C&C server.” continues the report. “The second module is something that we have come to expect from Buhtrap operators: an NSIS installer containing a legitimate application that will be abused to side load the Buhtrap main backdoor. The legitimate application that is abused in this case is AVZ, a free anti-virus scanner.”
The group apparently shifted targets, but the real reason it is still unclear.
“While we do not know why this group has suddenly shifted targets, it is a good example of the more and more blurry lines separating pure espionage groups from the ones mostly doing