The Zero-Day vulnerability was actively exploited in the wild for at least five months

Posted: October 15, 2014 in IT Security News
Tags: , , ,


Hurricane PandaCrowdStrike Discovers Use of 64-bit Zero-Day Privilege Escalation Exploit (CVE-2014-4113) by Hurricane Panda

Initially, a sample of the virus was detected on a machine running 64-bit Windows Server 2008 R2.

A highly organized hacker group Hurricane Panda, located, apparently in China and attacking companies with a large infrastructure, uses in their attacks the exploit to zero-day vulnerabilities in the products of Microsoft. The duration of the attack was more than 5 months. According to researchers at CrowdStrike, the first detected attack, was produced in the spring of this year.

The experts also note that the original sample of the virus was detected on a machine running 64-bit Windows Server 2008 R2. With it, the experts found that the attack starts with compromise of web server and the subsequent execution of malicious scripts Chopper. The latter allow attackers to elevate their privileges, for this purpose used Local Privilege Escalation tool, that exploits a recently identified zero-day vulnerability. Ultimately, attackers receives system privileges, and creates a new process with the same access rights, whereby collects confidential data.

“Adversaries often use known privilege escalation vulnerabilities to gain administrator-level access but true zero-day exploits are rare and therefore particularly interesting when observed in the wild”, – explained the researchers.

This security bug affects all x64 Windows variants up to and including Windows 7 and Windows Server 2008 R2. Yesterday, Microsoft published security bulletin MS14-058 and issued a patch that fixes the vulnerability (CVE-2014-4113).

Vulnerability and Exploit Details:

The 32-bit exploit triggers an out-of-bounds memory access. In the 64-bit version of the exploit, dereferencing offsets from a high 32-bit memory address do not wrap.


Links:

A more detailed description of the vulnerability is available at: http://www.fireeye.com/blog/
The full version of the report is available at: http://blog.crowdstrike.com/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s