'Hurricane Panda' Cyberspies Used Windows Zero-Day For Months'Hurricane Panda' Cyberspies Used Windows Zero-Day For Months
The vulnerability is one of multiple issues patched this week by Microsoft that have been targeted by attackers.
October 15, 2014
A sophisticated group of hackers believed to be from China has been caught using a Windows zero-day bug in a spate of attacks against technology infrastructure companies around the world.
Dubbed "Hurricane Panda," researchers at CrowdStrike spotted the group earlier this year exploiting one of the privilege escalation vulnerabilities (CVE-2014-4113) patched Tuesday by Microsoft. The vulnerability is one of three privilege escalation issues the attackers leveraged in their campaign.
CrowdStrike first detected the attacks in spring, when the group was detected on a victim's network. After the attackers were initially stopped, they continued to attempt to regain access on a daily basis.
"These attempts begin with compromising web servers and deploying Chopper webshells and then moving laterally and escalating privileges using the newly discovered Local Privilege Escalation tool," blogs Dmitri Alperovitch, CTO of CrowdStrike.
"Their RAT of choice has been PlugX configured to use the DLL side-loading technique that has been recently popularized among Chinese adversaries," he continues. "Perhaps their most outstanding technique has been the use of free DNS services provided by Hurricane Electric to return an attacker-controlled IP address for lookups for popular third-party domain names. Hurricane Panda is known to use the 'ChinaChopper' Webshell, a common initial foothold for many different actors. Once uploading this webshell, the actor will typically attempt to escalate privileges and then use a variety of password dumping utilities to obtain legitimate credentials for use in accessing their intelligence objectives."
The zero-day reported by CrowdStrike was also reported by FireEye, and affects all x64 Windows variants up to and including Windows 7 and Windows Server 2008 R2. On systems with Windows 8 and later variants with Intel Ivy Bridge or later generation processors, SMEP (Supervisor Mode Execution Prevention) will block attempts to exploit the bug and result in a blue screen, Alperovitch says.
"The exploit code is extremely well and efficiently written, and it is 100 percent reliable," he said. "The adversary has gone through considerable effort to minimize the chance of its discovery -- the win64.exe tool was only deployed when absolutely necessary during the intrusion operations and it was deleted immediately after use. The build timestamp of the Win64.exe binary of May 3, 2014 suggests that the vulnerability was actively exploited in the wild for at least five months."
The privilege escalation issue was not the only bug patched this week by Microsoft that has been the target of zero-day attacks. Reports have surfaced that attackers have also been targeting CVE-2014-4148, which, like CVE-2014-4113, is addressed by MS14-058. Both are vulnerabilities in the Windows kernel.
Attackers have also targeted CVE-2014-4114 [MS14-060], which researchers at iSight Partners have linked to cyber-espionage attacks on NATO, Ukrainian government organizations, European telecommunications firms, the energy sector (specifically in Poland), and other targets. The group behind those attacks has been nicknamed Sandworm, and is believed to have been around since 2009.
Microsoft also identified an Internet Explorer vulnerability (CVE-2014-4123) that has been the subject of limited attacks as well. The flaw could be used to escalate privileges. It is patched by MS14-056.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
2021 Gartner Market Guide for Managed Detection and Response Report
Managed Security and the 3rd Party Cyber Risk Opportunity Whitepaper