Hackers Swoop In on Windows 10 Security Flaw Exposed on Twitter
Last week, a security researcher disclosed a zero-day Windows vulnerability on Twitter along with a Proof of Concept (PoC). Not surprisingly, malicious actors swooped in days later to use the bug for their benefit.
Exploiting Windows’ Task Scheduler
The Twitter user SandboxEscaper revealed a bug in the Advanced Local Procedure Call (ALPC) interface of the Windows 7 and Windows 10 Task Schedulers that could allow an attacker to gain administrative rights even if the malicious executable would be launched by a limited Windows user account.
SandboxEscaper released the PoC source code at the same time as disclosing the bug, which meant anyone could modify and repurpose that code for a wide-scale attack against Windows machines that can evade security protections, including antivirus scans.
How PowerPool Infects Victims' PCs
A group called PowerPool modified that original PoC source code, recompiled it and then used it to replace Google Chrome’s auto-updater executable with its own malicious file in order to gain SYSTEM privileges on victims’ machines. The malware can perform actions such as executing commands, killing processes and uploading and downloading files, as well as listing folders.
The initial stage of the infection, which is kickstarted via a malicious attachment sent in an email to the victim, also allows the PowerTool group to perform some basic data collection, including taking screenshots of the victims’ PCs.
Still Awaiting Patches
Microsoft was seemingly caught off-guard by SandboxEscaper’s initial disclosure of the bug and has said that will release a patch on the next “Update Tuesday” on September 11.
CERT/CC has published some potential mitigations for this attack, but Microsoft has not officially approved them.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
USB-C cable CT scan reveals sinister active electronics — O.MG pen testing cable contains a hidden antenna and another die embedded in the microcontroller
Hackers breach Wi-Fi network of U.S. firm from Russia — daisy chain attack jumps from network to network to gain access from thousands of miles away
-
hotaru251 so...since they used chromes auto-update...does this have no effect if u dont have it even on your pc?Reply -
kenjitamura 21299312 said:so...since they used chromes auto-update...does this have no effect if u dont have it even on your pc?
It's highly unlikely this is the only group to abuse this exploit and it sounds like it could just as easily be applied to nearly any other piece of software.
-
1_rick "The initial stage of the infection, which is kickstarted via a malicious attachment sent in an email to the victim"Reply
Uh-huh. -
pjkrojcer Yeah straight up, from what I gather, you need to infect your PC first via clicking on the attachment. So, uhh, don't open attachments from people you don't know?Reply -
Albert_15 * gets an email saying "see attached file for instructions on how to mitigate this attack"Reply -
Larmo-Ct I get the impression from this article. That SandboxEscaper was a jerk, by releasing this info before informing Microsoft of this/these exploits, and telling the world about it. But the most important question I have is. Does the Microsoft Sept. 11 patch, address all of the hacks mentioned in the article?? Thanks in advance for any responses. ????Reply