ESET discovers zeroday in Windows 7 used against government agency

ESET has discovered a zero-day used for targeted attacks in Eastern Europe. The vulnerability only works on Windows 7 and Windows Server 2008. It is not known exactly what the attack was aimed at.

ESET discovered the vulnerability last month and notified Microsoft. A patch has since been released. The vulnerability is registered as CVE-2019-1132. and described in detail by the security firm.

According to ESET, the leak was actively exploited against a government agency in Eastern Europe, but it is not known who exactly is involved. However, the security company does designate the Buhtrap group, a hacker group that has been active since 2014 and initially attacked mainly Russian companies. However, for a few years now the group has focused not only on financial goals, but also on espionage. ESET says that the current malware attack tried to steal passwords from mail programs and browsers, among other things.

The vulnerability was exploitable on older versions of Windows 7 and on Windows Server 2008 and 2008 R2. However, the vulnerability can only be exploited if the attacker already has access to the system. More specifically, the systems that are vulnerable are Windows 7 32-bit Service Pack 1 and 64-bit Service Pack 1, Windows Server 2008 32-bit, 64-bit and Itanium Service Pack 2, and Windows Server 2008 R2 64-bit and Itanium Service Pack 1.

The exploit exploits a vulnerability in win32k.sys. An attacker can exploit it by creating pop-up windows and exploiting them to dump the kernel memory. The vulnerability was primarily intended to increase user privileges.

It’s not the only vulnerability Microsoft fixed this week. Simultaneously with this vulnerability, the company has also released a patch for CVE-2019-0880, an exploit that can also perform a local privilege escalation. That vulnerability is in splwow64.exe.