CVE-2016-0167, a zero-day exploit addressed in April’s Patch Tuesday, has apparently been leveraged by attackers, FireEye research reveals. Cyber criminals have exploited the vulnerability in targeted attacks on more than 100 US companies.
FireEye’s blog post on the matter discloses that threat actors have initiated spear-phishing attacks in March this year. Victims of the campaigns include companies in various industries, such as retail, restaurant, and hospitality.
CVE-2016-0167 Official Description
Q The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability,” a different vulnerability than CVE-2016-0143 and CVE-2016-0165.
A Look Into the CVE-2016-0167 Attack
Where was the escalation of privileges vulnerability exactly located? In the win32l Windows Graphics subsystem. “CVE-2016-0167 is a local elevation of privilege vulnerability in the win32k Windows Graphics subsystem. An attacker who had already achieved remote code execution (RCE) could exploit this vulnerability to elevate privileges“, FireEye researchers write.
As for the spear phishing attacks, it’s known that spear phishing emails have been sent out containing malicious Microsoft Word attachments.
Learn More about Phishing and Its Forms
Upon opening the attachment, embedded macros would execute a downloader identified as Punchbuggy.
What Is Punchbuggy?
It’s a DLL downloader, which has both 32-bit and 64-bit versions. The downloader transfers malicious code through HTTPS. It was employed by the attackers to interact with the targeted systems and “move laterally across victim environments“.
However, the vulnerability exploit didn’t do the dirty job by itself, as it was combined with a point-of-sale memory scraping tool known as Punchtrack. The scenario led to the attack on over 100 US companies, and as a result track 1 and 2 credit card data were stolen from the companies’ PoS systems.
Luckily, the vulnerability has been fixed in recent Microsoft updates. However, if a system hasn’t applied the fix, it may still be vulnerable. So, make sure your Windows is up-to-date, and don’t give attackers a way to exploit you and your finances.
Have a look at Microsoft’s Latest Patch Tuesday