Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Buhtrap Group Used Windows Zero-Day in Government Attack

One of the two Windows zero-day vulnerabilities fixed by Microsoft with its July 2019 Patch Tuesday updates was used by a threat group known as Buhtrap to target a government organization in Eastern Europe, according to cybersecurity firm ESET.

One of the two Windows zero-day vulnerabilities fixed by Microsoft with its July 2019 Patch Tuesday updates was used by a threat group known as Buhtrap to target a government organization in Eastern Europe, according to cybersecurity firm ESET.

The flaw, tracked as CVE-2019-1132, is a privilege escalation issue related to how the Win32k component handles objects in memory. It can be exploited to execute arbitrary code in kernel mode, but it only appears to affect older versions of Windows, such as Windows 7 and Server 2008.

ESET, which informed Microsoft of the vulnerability and the attacks exploiting it, has released a blog post containing technical information on CVE-2019-1132. The company says the exploit created by Buhtrap relies on popup menu objects, a technique that has been used for several vulnerabilities in recent years. According to ESET, the exploit for CVE-2019-1132 uses techniques very similar to the exploit for CVE-2017-0263, a Windows zero-day patched by Microsoft in May 2017 after it was used by a Russia-linked cyberspy group.

As for the attack involving CVE-2019-1132, ESET spotted it in June after it was used to target a government institution in Eastern Europe. The Buhtrap hackers leveraged the exploit to run their malware with the highest privileges on the compromised systems.

This was the first time Buhtrap had used a zero-day vulnerability in its attacks, ESET said.

The group used decoy documents to deliver a piece of malware designed to steal passwords from email clients and browsers, and send them to a command and control (C&C) server. The malware also gave attackers full access to the compromised device.

Buhtrap has been active since at least 2014. The group initially conducted profit-driven campaigns aimed at the customers of Russian banks. In 2015, the threat actor was spotted targeting financial institutions directly by sending spear-phishing emails to their employees. Buhtrap is said to have stolen significant amounts of money during these operations, including $25 million over a six-month period from 13 Russian banks.

In 2015, the group also started launching cyber espionage operations aimed at entities in Eastern Europe and Central Asia, including government organizations. While the source code for Buhtrap’s malware was leaked in 2016, which allowed other groups to use it as well, ESET has pointed out that the hackers shifted focus before the leak and the company assesses with high confidence that the people behind the attacks on banks also targeted governments.

Advertisement. Scroll to continue reading.

“While we do not know why this group has suddenly shifted targets, it is a good example of the more and more blurry lines separating pure espionage groups from the ones mostly doing crimeware. In this case, it is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward,” ESET said in a blog post.

The second Windows zero-day vulnerability patched by Microsoft this month, a privilege escalation issue tracked as CVE-2019-0880, was reported to the company by Resecurity. However, the firm told SecurityWeek that it only shares its findings with impacted vendors and it has refused to provide any information on the attacks involving this flaw.

Related: Windows Zero-Day Exploited in Targeted Attacks by ‘PowerPool’ Group

Related: Windows Zero-Day Exploited by FruityArmor, SandCat Threat Groups

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...