14 DAY TRIAL // A new, previously unknown vulnerability in kernel-mode driver has been exploited by undisclosed adversaries to remotely execute arbitrary code on a Windows machine.
Receiving the common identifier CVE-2014-4148, the security flaw resides in the way Windows kernel-mode driver (win32k.sys) parses TrueType fonts (TTF).
An attacker exploiting it would be able to gain access to important functions on the machine, such as installing programs, viewing and altering information or creating new accounts with full administrative rights.
According to researchers at FireEye, the threat actor took advantage of the flaw by “using a Microsoft Office document to embed and deliver a malicious TTF to an international organization.”
Important to note is that the glitch does not affect the Office suite, but desktop versions of Windows, XP SP 3 through 8.1 (RT included) and server editions 2003 through 2012. Both 32-bit and 64-bit platforms are impacted, but in the attack observed by FireEye, only 32-bit systems were targeted.
Attackers target 32-bit systems
The security researchers have found that the malware delivered through the exploit has been specifically adapted in terms of functions so that it fits the operating systems targeted by the attackers.
Despite impacting both 32-bit and 64-bit machines, it appears that the operators exploited the glitch to compromise 32-bit systems.
The reason for this has not been disclosed, but being used in targeted attacks, it is easy to guess that victims work on this architecture.
As for reaching the victim’s computer, the exploit could be delivered through a web page containing a malcrafted TrueType font file. Alternatively, embedding the malicious file in an Office document, as observed by FireEye in this attack, would also work.
However, in both cases, user interaction is required, which would not be too difficult in a spear-phishing type of attack.
Attack shows high level of sophistication
Security researchers say that there are three stages for the threat actor to achieve their goal. Exploiting the vulnerability begins with a shellcode present in the Font program section of the malicious TTF, which then moves from a kernel-mode to a user-mode process.
The last step is to decode and embed a DLL in the memory and run it there; this is in fact the attacker’s remote access tool, which allows control of the compromised system.
FireEye notes several aspects that differentiate this threat actor from run-of-the-mill cybercriminals. Among them is the high degree of customization, not only for the shellcode, which is compatible with multiple operating systems, but also for the remote access capability and the dropped malware.
All this, coupled with the fact that the remote access tool runs in memory, indicate careful planning of each stage of the attack, as well as good knowledge of the targeted environment, which is specific to entities with large budgets, such as intelligence organizations.
This is not the only vulnerability FireEye shared privately with Microsoft. Another kernel-mode driver glitch (CVE-2014-4113), allowing privilege escalation, was also shared by the security company. It was detected by CrowdStrike to be leveraged in a cyber espionage campaign believed to be under the flag of China.
Both security companies collaborated with Microsoft to develop a patch scheduled to be pushed to Windows users through Microsoft's monthly security updates.