A new Microsoft Windows zero-day vulnerability known as ALPC LPE has been exploited in the wild. The dangerous fact is that the hacking attacks happened soon after the information was published online. Users from all over the world are affected.
Powerpool Hackers Are Behind the Windows Zero-day Vulnerability
Details about the Windows LPE zero-day vulnerability were initially posted on August 27 2018 on GitHub and popularized via a Twitter post which was later deleted. Still details about its presence made its way to hackers as there are reports of attacks leveraging it.
The vulnerability itself is a bug in the Windows operating system itself impacting versions from Windows 7 to Windows 10 depending on the Advanced Local Procedure Call (ALPC) function, the result of the is a Local Privilege Escalation (LPE). This effectively allows malicious code to gain administrative privileges and modify the system as programmed. The original tweet linked to a GitHub repository containing Proof-of-Concept code. This effectively allows computer users to download the sample code and use it as they like — in its original form, modified or embedded in a payload.
A security advisory has been assigned to the vulnerability — CVE-2018-8440. Its description is the following:
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).
An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system.
The PowerPool hackers, a previously unknown hacking collective, has been found to orchestrate an attack campaign. So far a relatively minor group has been affected, however the locations of the infected machines showcase that the campaigns are global. Positive infections stem countries such as the following: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States and Ukraine.
The mode of operations lies in the abuse of an API function which doesn’t check the users permissions in the prescribed matter. This has allowed the PowerPool hackers to abuse the Windows operating system by writing permissions to the Tasks folder. As a result of this action users with read only permissions can replace write-protected files. A local privilege escalation is then done which can help deliver a malicious file to the infected host.
The security analysis has revealed that so far the main target of the Windows zero-day vulnerability seems to be the Google Update service — the legitimate applications that performs the autonomous version update checks which is often under administrative privileges automatically by a predefined Microsoft Windows Task. This setup file is overwritten with a second-stage malware that is then started.
Mode of Operations of the Windows Zero-day Vulnerability
The PowerPool hackers have devised a specialist malware that is delivered to the infected hosts. The addresses are hardcoded, this signals that this is an initial version. Updated versions can be programmed into automatically connecting to a predefined server which will can signal the appropriate hacker-controlled host. A secure connection is established with it allowing the operators to launch various commands. The supported ones are the following: command execution, process killing, file upload/download, folder list.
The persistent installation has been found to initiate several modules allowing the criminals to hijack other machines on the same network:
- PowerDump — This is a Metasploit module that is used to acquire account credentials from the Windows Security Account Manager.
- PowerSploit — This is another Metasploit module which allows the hackers to customize their post-exploitation consequences.
- SMBExec — This a PowerShell-based tool that processes SMB (Samba) network shares.
- Quarks PwDump — A utility that hijacks the stored Microsoft Windows credentials.
- FireMaster — This is another hacking module that can be used to restore credentials from user-installed applications such as web browsers, email clients, instant messaging apps and etc.
Update! Microsoft released a security update fixing this issue, update your systems as soon as possible to the latest available version!