In early March, our proactive security technologies uncovered an attempt to exploit a vulnerability in Microsoft Windows. The analysis revealed a zero-day vulnerability in our old friend win32k.sys, in which similar vulnerabilities have been discovered four times already. We reported the problem to the developer, and the vulnerability was fixed with a patch, released on April 10.
What are we dealing with?
CVE-2019-0859 is a Use-After-Free vulnerability in the system function that handles dialog windows, or more precisely, their additional styles. The exploit pattern found in the wild targeted 64-bit versions of OS, from Windows 7 to the latest builds of Windows 10. Exploitation of the vulnerability allows the malware to download and execute a script written by the attackers, which in the worst-case scenario results in full control over the infected PC.
Or, at least, that is how the still-unidentified APT group tried to use it. Using the vulnerability, they gained sufficient privileges to install a back door created with Windows PowerShell. In theory, that should allow the cybercriminals to remain hidden. Through this back door the weapon payload was loaded, which then allowed the cybercriminals to gain full access to the entire infected computer. See Securelist for details of how the exploit works.
How to stay protected
All of the following protection methods have been listed several times before, and there is nothing particularly new to add.
- First, install the update from Microsoft to close the vulnerability.
- Regularly update all software used at your company, in particular, operating systems, to the very latest versions.
- Use security solutions with behavioral analysis technologies that can even detect as-yet unknown threats.
The exploit for the CVE-2019-0859 vulnerability was initially identified using the Behavioral Detection Engine and Automatic Exploit Prevention technologies, which are part of our Kaspersky Endpoint Security for Business solution.
If your administrators or information security team need a deeper understanding of the methods employed to detect Microsoft zero-day threats, we recommend the Windows zero-days in three months: How we found them in the wild webinar recording.