Information security bods at Trustwave have found a zero-day exploit affecting all versions of Microsoft's OS Windows, all the way from Windows 2000 up to a fully patched version of Windows 10 including all server editions.
It estimates that this affects 1.5 billion computers around the world.
The company provides threat intelligence services and regularly monitors several forums, and it is through this it discovered the exploit which was found on a Russian speaking forum and is currently being offered for sale for £62,000 ($US 90,000).
Trustwave cautioned that there is currently no fix for the exploit and has recommended Windows users stay vigilant for phishing emails. In addition, it has also issued a more general warning about the rise of malware-as-a-service (MaaS).
Ziv Mador, VP of security research at Trustwave, told SCMagazineUK.com, “This is a very serious exploit. From what we've seen in the past, exploits of this type tend to have somewhere in the region of a 10 percent success rate which spells bad news all around.”
According Trustwave, Microsoft has been notified of the zero day offering and is continuing to monitor the situation.
In a blog post, the company highlighted that, “This specific forum serves as a collaboration platform where one can hire malware coders, lease an exploit kit, buy web shells for compromised websites, or even rent a whole botnet for any purpose. However, finding a zero day listed in between these fairly common offerings is definitely an anomaly. It goes to show that zero days are coming out of the shadows and are fast becoming a commodity for the masses, a worrying trend indeed.”
Trustwave said it did not buy the exploit, so could not offer technical details on how it works. However, Mador explained, “The exploit found circumvents the Local Privilege Escalation security feature of Windows which asks you to enter an admin password to make changes to the computer. This is a crucial part of the malware infection being successful.”
A translation of the original Russian post says, “The vulnerability exists in the incorrect handling of Windows objects, which have certain properties.”
It goes on to explain, “The vulnerability is of 'write-what-where' type, and as such allows one to write a certain value to any address [in memory], which is sufficient for a full exploit. The exploit successfully escapes from ILL/appcontainer (LOW), bypassing (more precisely: doesn't get affected at all [by]) all existing protection mechanisms such as ASLR, DEP, SMEP, etc. [The exploit] relies solely on the KERNEL32 and USER32 libraries [DLLs].”
The seller provided two proof videos for any potential buyers that might be concerned with the validity of the offer. The first video shows a fully updated Windows 10 machine being exploited successfully, by elevating the CMD EXE process to the SYSTEM account. It is interesting to note that the video was actually recorded on "Patch Tuesday" and the author made sure the latest updates were installed.
[hm-iframe width="420" height="315" frameborder="0" src="https://www.youtube.com/embed/qElVJY9-CIg"]
The second video shows the exploit successfully bypassing all of EMET protections for the latest version of the product.
[hm-iframe width="420" height="315" frameborder="0" src="https://www.youtube.com/embed/7G1ZwL5PQfE"]
Trustwave highlighted, “It's important to mention that despite the indications that the offer is authentic, there's no way to know this with absolute certainty without taking the risk of purchasing the exploit or waiting for it to appear in the wild.”
Due to all the "unknowns" associated with zero days, it's hard to provide specific advice for protection. However Trustwave said that if you keep your software up-to-date, take a layered approach to security, and use common sense you should be OK.
Ben Johnson, chief security strategist, Carbon Black commented by email to SC that, “Zero-day exploits such as this are particularly problematic, as traditional security solutions like anti-virus rely on blacklisting – they have a set of known threats that they detect, if a file doesn't appear on their list, they let it through – so if the threat has never been seen before then this system falls down.”
Johnson explained, “This is why organisations need to stop relying on AV alone to protect their endpoints; a more sophisticated approach is needed. Whitelisting, whereby a threat is assessed against a set of policies and common characteristics to see if there is a likely issue, can help to spot this type of exploit even if it has never appeared before. This should then be combined with broader threat intelligence, where you can see if a particular file has ever been seen before; if it hasn't, then it is likely to be zero day and hazardous. This allows organisations to get smarter about security and avoid falling into these sort of traps.”