One of the two Windows zero-day vulnerabilities fixed by Microsoft with its July 2019 Patch Tuesday updates was used by a threat group known as Buhtrap to target a government organization in Eastern Europe, according to cybersecurity firm ESET.
The flaw, tracked as CVE-2019-1132, is a privilege escalation issue related to how the Win32k component handles objects in memory. It can be exploited to execute arbitrary code in kernel mode, but it only appears to affect older versions of Windows, such as Windows 7 and Server 2008.
ESET, which informed Microsoft of the vulnerability and the attacks exploiting it, has released a blog post containing technical information on CVE-2019-1132. The company says the exploit created by Buhtrap relies on popup menu objects, a technique that has been used for several vulnerabilities in recent years. According to ESET, the exploit for CVE-2019-1132 uses techniques very similar to the exploit for CVE-2017-0263, a Windows zero-day patched by Microsoft in May 2017 after it was used by a Russia-linked cyberspy group.
As for the attack involving CVE-2019-1132, ESET spotted it in June after it was used to target a government institution in Eastern Europe. The Buhtrap hackers leveraged the exploit to run their malware with the highest privileges on the compromised systems.
This was the first time Buhtrap had used a zero-day vulnerability in its attacks, ESET said.
The group used decoy documents to deliver a piece of malware designed to steal passwords from email clients and browsers, and send them to a command and control (C&C) s ..
Support the originator by clicking the read the rest link below.
