Security News Windows Zero-Day Exploited in Targeted Attacks by 'PowerPool' Group

silversurfer · Sep 5, 2018

A threat group tracked by security firm ESET as “PowerPool” has been exploiting a Windows zero-day vulnerability to elevate the privileges of a backdoor in targeted attacks.

According to ESET, the local privilege escalation vulnerability has been exploited by a newly uncovered group it tracks as PowerPool. Based on the security firm’s telemetry and malware samples uploaded to VirusTotal, the threat actor appears to have leveraged the Windows zero-day against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines and Poland

upnorth · Sep 5, 2018

Was a bit unsure first but suspected correct as it is the ALPC interface vulnerability. It does exist a short term solution from a Karsten Nilsen but one need to read more about it first.

More info here :
Vulnerability Note VU#906424 - Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface

The fix from 0patch I'm personal a bit unsure about but that will hopefully be confirmed shortly.

shmu26 · Sep 6, 2018

It's a real nasty. It replaces the legit GoogleUpdate.exe with a false one, thus getting its foot into Task Scheduler.
Windows Task Scheduler Zero Day Exploited by Malware

Gandalf_The_Grey · Sep 6, 2018

What do you guys think about using 0patch?

shmu26 · Sep 6, 2018

Gandalf_The_Grey said:
What do you guys think about using 0patch?

I am not worried about this exploit.
1 It will never even get started on a default/deny setup.
2 The analysts say the remotely controlled backdoor that it installs is probably only used against hand-picked targets.

Itachi Sempai · Sep 8, 2018

shmu26 said:
It's a real nasty. It replaces the legit GoogleUpdate.exe with a false one, thus getting its foot into Task Scheduler.
Windows Task Scheduler Zero Day Exploited by Malware

i would like to see a sample

Eddie Morra · Sep 8, 2018

VirusTotal
VirusTotal
VirusTotal

First one is a first-stage backdoor, the other two are second-stage; hashes were provided by ESET on the PowerPool article and can be found on the IOCs section.

If anyone needs the samples but cannot download them, send me a PM.

upnorth · Sep 12, 2018

CVE-2018-8440 | Windows ALPC Elevation of Privilege Vulnerability

Search

Security News Windows Zero-Day Exploited in Targeted Attacks by 'PowerPool' Group

silversurfer

Level 85

upnorth

Moderator

shmu26

Level 85

Gandalf_The_Grey

Level 76

shmu26

Level 85

Itachi Sempai

Level 2

Eddie Morra

upnorth

Moderator

Similar threads