0-Days Sold By Austrian Firm Used To Hack Windows Users, Microsoft Says (arstechnica.com) 25
Longtime Slashdot reader HnT shares a report from Ars Technica: Microsoft said on Wednesday that an Austria-based company named DSIRF used multiple Windows and Adobe Reader zero-days to hack organizations located in Europe and Central America. Members of the Microsoft Threat Intelligence Center, or MSTIC, said they have found Subzero malware infections spread through a variety of methods, including the exploitation of what at the time were Windows and Adobe Reader zero-days, meaning the attackers knew of the vulnerabilities before Microsoft and Adobe did. Targets of the attacks observed to date include law firms, banks, and strategic consultancies in countries such as Austria, the UK, and Panama, although those aren't necessarily the countries in which the DSIRF customers who paid for the attack resided.
"MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks," Microsoft researchers wrote. "These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open source news reports attributing Subzero to DSIRF." Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote: In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim's Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED's extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we've seen no evidence of browser-based attacks.
The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.
CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved. Microsoft recommends a number of security considerations to help mitigate this attack, including patching CVE-2022-22047, updating Microsoft Defender Antivirus to update 1.371.503.0 or later, and enabling multifactor authentication (MFA).
"MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks," Microsoft researchers wrote. "These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open source news reports attributing Subzero to DSIRF." Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote: In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim's Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED's extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we've seen no evidence of browser-based attacks.
The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.
CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved. Microsoft recommends a number of security considerations to help mitigate this attack, including patching CVE-2022-22047, updating Microsoft Defender Antivirus to update 1.371.503.0 or later, and enabling multifactor authentication (MFA).
Ok (Score:2, Informative)
meaning the attackers knew of the vulnerabilities before Microsoft and Adobe did
Yeah ok, that is pretty much the definition of a 0 day.
Re: (Score:2)
0-Day is an issue that has been in the code since the 0-day it wasn't mitigated before release (Day 1). It can be known or unknown.
shitty software (Score:2, Interesting)
maybe don't have shitty software and a complete desktop monopoly
Re: (Score:1, Insightful)
Re:shitty software (Score:5, Insightful)
and which software doesn't have 0 Day vulnerabilities on a regular basis?
SSH. OpenBSD. Qmail.
The question you should really be asking is, "Why don't MS and Adobe have processes in place that would make remote exploits rare?"
Re: (Score:1, Flamebait)
Bullshit, you're a liar [cvedetails.com]. You're a dumbass.
Re: (Score:1)
Re: (Score:2)
If I understand you correctly, I think you're agreeing with me.
LOL! I'm a dumbfuck! (Score:1)
Re: Meh (Score:2)
Lol, you are right. I AM THE DUMBASS!
Well if you're agreeing with me, I'm definitely not going to say you're a dumbass! ll
From Austria? (Score:2, Offtopic)
This has to be Shwarzenegger's fault.
Re: (Score:1)
What, no Godwin? Now that it would finally fit so perfectly? /. really lost its ways.
Re: (Score:2)
What, no Godwin?
My original post included the second sentence "or Hitler's.", but then I decided against it.
Re: (Score:2)
DSIRF seems to be involved with Jan Marsalek [wikipedia.org], who was the COO of the scandalous, fraudulent and finally bankrupt fintech company Wirecard [wikipedia.org]. Jan Marsalek was known to brag about his connection to different intelligence agencies, and is now a fugitive with a world wide warrant outstanding.
Re: (Score:2)
*sigh*
Wirecard, the Gift that keeps on taking.
(with "Gift" in the German meaning of the word)
Re: (Score:1)
Rejects? It doesn't get more EU-brownnosing than Austria. Where does the reject come from?
Re: nuke them (Score:1)
If only...
Re: (Score:2)
Re: nuke them (Score:2)
Re: (Score:2)
Re: nuke them (1 April 2000.) (Score:2)
There are no kangaroos in Austria.