Group is believed to operate under the Chinese flag

Oct 14, 2014 22:55 GMT  ·  By

A cyber espionage group known as Hurricane Panda has taken advantage of a zero-day vulnerability in Windows that gave them administrative privileges on the affected systems.

The group is believed to be from China and targets infrastructure companies. Multiple vulnerabilities have been exploited in their attacks, the most severe of them, a previously unknown security glitch now identified as CVE-2014-4113, being leveraged to infect 64-bit Windows platforms in order to gain a foothold in the network of the target.

CVE-2014-4113 affects all Windows operating systems from Windows 2000 through Windows 7, and exploiting it allows elevated privileges when the objects in memory are not handled correctly by the Windows kernel-mode driver (Win32k.sys); this could lead to remote execution of arbitrary code in kernel mode.

Privilege escalation exploit prepared for 64-bit platforms

CrowdStrike, one of the two companies working with Microsoft to prepare a patch for Windows users, says that they found the Hurricane Panda attack when one of their systems picked up suspicious activity on a 64-bit Windows Server 2008 R2 machine.

Further exploration of the matter led to the discovery of Win64.exe, which was used from a webshell to elevate privileges for a command that added a new administrator account to the local group of the targeted machine.

“Subsequent analysis of the Win64.exe binary revealed that it exploits a previously unknown vulnerability to elevate its privileges to those of the SYSTEM user and then create a new process with these access rights to run the command that was passed as argument,” CrowdStrike co-founder and CTO, Dmitri Alpetrovich writes in a blog post.

At 55 kilobytes, the item is very small and contains a limited set of functions that allow it to execute a command as new process with system privileges.

The steps it goes through to achieve this include creating a memory section for storing a pointer to a function, profiting from a memory corruption vulnerability in the window manager, and replacing the access token pointer in the EPROCESS structure with one in the system process.

Attackers took advantage of the vulnerability for at least five months

If Hurricane Panda is a Chinese group, then they are a very different adversary than the one described by FBI director James Comey recently.

Alpetrovich notes that “the exploit code is extremely well and efficiently written, and it is 100 percent reliable.” Moreover, the threat actors went to great lengths to make sure that it was not easy to discover, deploying the malicious tool only when it was required.

The result was an exploitation duration of at least five months, according to CrowdStrike, since the build timestamp of the Win64 executable was May 3, 2014.

The vulnerability was privately reported to Microsoft by both CrowdStrike and FireEye, who conducted a separate study of the attack. A patch for it is available as part of the monthly security updates released by Microsoft on Tuesday.

Important to note is that this vulnerability is different than the one reported earlier by iSight Partners, which is tracked as CVE-2014-4114 and was leveraged by a Russian cyber-espionage group that has been dubbed Sandworm for the many references to the science fiction series Dune.