On August 27, a security researcher with the online moniker SandboxEscaper discovered a zero-day vulnerability in Windows Task Scheduler (Windows 7-10) and published a proof-of-concept exploit for the flaw on GitHub. Microsoft was not alerted to the flaw and was not given time to issue a fix to prevent the flaw from being exploited.
Unsurprisingly, the exploit is now being used by at least one hacking group to attack businesses. Cybersecurity firm ESET reports that a new threat group called PowerPool has been conducting targeted attacks using the backdoor.
The flaw is present in the Advanced Local Procedure Call (ALPC) of Windows Task Scheduler. If local access to a device is gained, it is possible to elevate privileges to SYSTEM level by overwriting certain files which are not protected by filesystem access control lists.
Microsoft has not yet corrected the flaw – and will likely not do so until Patch Tuesday on September 11 – although Acros Security has issued a micropatch that will prevent the flaw from being exploited. Even though the micropatch has been available for several days, many businesses have opted to wait until Microsoft fixes the problem and remain vulnerable to attack.
ESET telemetry data shows the PowePool group has already conducted attacks using a slightly modified version of the proof-of-concept exploit, which was recompiled from the source code published on GitHub. Attacks have been detected in the US, UK, Germany, Chile, Ukraine, India, Russia, Poland, and the Philippines.
In the attacks, the group use the exploit to overwrite C:\Program Files(x86)\Google\Update\GoogleUpdate.exe to give its malware elevated permissions on systems. According to a recent ESET report, the first stage of the attack involves delivering the malware via email in a spam campaign that uses Symbolic Link (.slk) file attachments. The spam emails are part of a targeted spear phishing campaign, with the email attachment disguised as an invoice.
The first stage of the malware is used for reconnaissance to identify systems of interest that are worthy of a more extensive compromise. If the system is of interest, the malware downloads an additional module that is capable of executing commands on a compromised system, can download further files, upload data to the attacker’s C2 server, and can stop processes running on an infected device.
ESET notes that the second stage of the malware downloads a variety of legitimate tools which enable the attackers to move laterally on the network and compromise further devices.
The published exploit has now been incorporated into the attackers’ arsenal and is being used to escalate privileges on a compromised system. The exploit was used within 48 hours of it being published on GitHub. This is a classic example of what happens when details of vulnerabilities are disclosed outside a coordinated disclosure process.