A sophisticated group of hackers believed to be from China has been caught using a Windows zero-day bug in a spate of attacks against technology infrastructure companies around the world.
Dubbed "Hurricane Panda," researchers at CrowdStrike spotted the group earlier this year exploiting one of the privilege escalation vulnerabilities (CVE-2014-4113) patched Tuesday by Microsoft. The vulnerability is one of three privilege escalation issues the attackers leveraged in their campaign.
CrowdStrike first detected the attacks in spring, when the group was detected on a victim's network. After the attackers were initially stopped, they continued to attempt to regain access on a daily basis.
"These attempts begin with compromising web servers and deploying Chopper webshells and then moving laterally and escalating privileges using the newly discovered Local Privilege Escalation tool," blogs Dmitri Alperovitch, CTO of CrowdStrike.
"Their RAT of choice has been PlugX configured to use the DLL side-loading technique that has been recently popularized among Chinese adversaries," he continues. "Perhaps their most outstanding technique has been the use of free DNS services provided by Hurricane Electric to return an attacker-controlled IP address for lookups for popular third-party domain names. Hurricane Panda is known to use the 'ChinaChopper' Webshell, a common initial foothold for many different actors. Once uploading this webshell, the actor will typically attempt to escalate privileges and then use a variety of password dumping utilities to obtain legitimate credentials for use in accessing their intelligence objectives."
The zero-day reported by CrowdStrike was also reported by FireEye, and affects all x64 Windows variants up to and including Windows 7 and Windows Server 2008 R2. On systems with Windows 8 and later variants with Intel Ivy Bridge or later generation processors, SMEP (Supervisor Mode Execution Prevention) will block attempts to exploit the bug and result in a blue screen, Alperovitch says.
"The exploit code is extremely well and efficiently written, and it is 100 percent reliable," he said. "The adversary has gone through considerable effort to minimize the chance of its discovery -- the win64.exe tool was only deployed when absolutely necessary during the intrusion operations and it was deleted immediately after use. The build timestamp of the Win64.exe binary of May 3, 2014 suggests that the vulnerability was actively exploited in the wild for at least five months."
The privilege escalation issue was not the only bug patched this week by Microsoft that has been the target of zero-day attacks. Reports have surfaced that attackers have also been targeting CVE-2014-4148, which, like CVE-2014-4113, is addressed by MS14-058. Both are vulnerabilities in the Windows kernel.
Attackers have also targeted CVE-2014-4114 [MS14-060], which researchers at iSight Partners have linked to cyber-espionage attacks on NATO, Ukrainian government organizations, European telecommunications firms, the energy sector (specifically in Poland), and other targets. The group behind those attacks has been nicknamed Sandworm, and is believed to have been around since 2009.
Microsoft also identified an Internet Explorer vulnerability (CVE-2014-4123) that has been the subject of limited attacks as well. The flaw could be used to escalate privileges. It is patched by MS14-056.