CrowdStrike Discovers Use of 64-bit Zero-Day Privilege Escalation Exploit (CVE-2014-4113) by Hurricane Panda
Initially, a sample of the virus was detected on a machine running 64-bit Windows Server 2008 R2.
A highly organized hacker group Hurricane Panda, located, apparently in China and attacking companies with a large infrastructure, uses in their attacks the exploit to zero-day vulnerabilities in the products of Microsoft. The duration of the attack was more than 5 months. According to researchers at CrowdStrike, the first detected attack, was produced in the spring of this year.
The experts also note that the original sample of the virus was detected on a machine running 64-bit Windows Server 2008 R2. With it, the experts found that the attack starts with compromise of web server and the subsequent execution of malicious scripts Chopper. The latter allow attackers to elevate their privileges, for this purpose used Local Privilege Escalation tool, that exploits a recently identified zero-day vulnerability. Ultimately, attackers receives system privileges, and creates a new process with the same access rights, whereby collects confidential data.
“Adversaries often use known privilege escalation vulnerabilities to gain administrator-level access but true zero-day exploits are rare and therefore particularly interesting when observed in the wild”, – explained the researchers.
This security bug affects all x64 Windows variants up to and including Windows 7 and Windows Server 2008 R2. Yesterday, Microsoft published security bulletin MS14-058 and issued a patch that fixes the vulnerability (CVE-2014-4113).
Vulnerability and Exploit Details:
The 32-bit exploit triggers an out-of-bounds memory access. In the 64-bit version of the exploit, dereferencing offsets from a high 32-bit memory address do not wrap.