Govt cyber bank attack: MSW ‘Zero-Day Exploit’ used
Published: 05:15 PM, 13 July 2019 Updated: 06:21 PM, 13 July 2019
The matter of using Microsoft Word Zero-Day Exploit for cyber spying in government highly secured institutions has been revealed. It is like a threat actor once best known for cyber bank robbery in Russia has made a move to espionage. During June 2019, the use of a Microsoft Windows zero-day exploit against government institutions in Eastern Europe has been fixed following discovery of huge Windows zero-days. However, this is the first time that researchers had seen the Buhtrap group using a zero-day attack, although the group has been involved in the cyber-spying business for some years now across Eastern Europe and Central Asia, news Forbes.
What the ‘Zero-Day Exploit’
A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.
ESET’s (a Slovakia based IT security vendor) senior malware researcher Anton Cherepanov, explained how the zero-day exploit abused a local privilege escalation vulnerability in Microsoft Windows in order to run arbitrary code and install applications, and view or change data on the compromised systems.
The vulnerability itself only impacted older versions of Windows, specifically variations of Windows and Windows Server 2008, because, “since Windows 8 a user process is not allowed to map the NULL page. Microsoft back-ported this mitigation to Windows 7 for x64-based systems,” according to the state of Anton.
On the other hand, Gavin Millard, vice-president of intelligence at Tenable warns, that is predictably, is to upgrade to a newer version of the operating system if possible. Especially as critical security updates will disappear soon when extended support for Windows 7 Service Pack 1 ends in January 2020. “The vulnerability is now being actively exploited in the wild," advising that "patches should be deployed as soon as possible,” he says.
I wondered why a group that had apparently seen quite some success while being a "pure" cybercrime operation might make the change to what would appear the more dangerous and less profitable business of espionage? It's not the first time, said Chris Doman, a security researcher at AT&T Alien Labs.
Javvad Malik, security awareness advocate at KnowBe4, said, “In this case it could very well be possible that Buhtrap expanded their operations from cybercrime to include espionage because of the greater money-making opportunity or for political reasons.”
Synopsys senior security engineer Boris Cipot said, “We could say it is financial.” Such services are known to have been used in many cyber-espionage cases, he also commented.
Or, they could have become part of an espionage ring in order to avoid prison time. "This is also something we have seen in the past," Cipot says "where cybercriminals, when caught, were used to either work for the government or other organizations to avoid sentences in prison." Eoin Keary, CEO, and co-founder of edgescan, agrees it is likely "given their level of skill," that they may have been convinced by a nation-state to "use their skill set in the realm of espionage and go legitimate." Although Keary also points out that the world of corporate espionage is very lucrative, "with many nation states happily paying for intellectual property, energy information, blueprints, business plans and communiques between governments and business leaders."
Michael Hartmann, vice-president EMEA at OneLogin, stated that: "According to insiders some of Buhtrap group's source code got leaked or intentionally published on the darknet, which may be a reason why other attacker groups are now using and customizing these attack vectors to target other organizations, which explains the perceived change in the Buhtrap attack strategy."