The fourth horseman: CVE-2019-0797 vulnerability

[harlan4096]

The fourth horseman: CVE-2019-0797 vulnerability

In February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. We reported it to Microsoft on February 22, 2019. The company confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft have just released a patch, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery.

This is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows we have discovered recently using our technologies. Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.

Kaspersky Lab products detected this exploit proactively through the following technologies:

1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products;
   
2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA).
   

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

• HEUR:Exploit.Win32.Generic
  
• HEUR:Trojan.Win32.Generic
  
• PDM:Exploit.Win32.Generic 
  

 

Continue Reading