SandCat exploiting recently patched Win32k flaw
A newly-patched Microsoft Win32k vulnerability is being exploited by a group called SandCat. The exploited vulnerability, CVE-2019-0797, rated important, was just recently patched as part of Microsoft's regularly scheduled March security update. Kaspersky Lab researchers found that the vulnerability is already being used by SandCat and FruityArmor, to run arbitrary code on systems.
SandCat is a new APT group which was first observed in 2018, but may have been around for some time. They use FinFisher/FinSpy spyware and the CHAINSHOT framework in attacks, along with various zero-days. Targets of SandCat have been mostly observed in Middle East, including but not limited to Saudi Arabia.
The new attack campaign found in the wild is targeting 64-bit operating systems from Windows 8 to Windows 10 build 15063. Exploitation of this vulnerability is not difficult and is reliable for 64-bit operating systems from Windows 8 to Windows 10. Researchers found very few attempts to exploit this vulnerability, in targeted attacks. As with high profile zero days, this seems to be used only for high-value targets in what can be considered surgical campaigns.
CVE-2019-0797 is an elevation of privilege vulnerability, which exists in Windows when the Win32k component fails to properly handle objects in memory. Win32k is the Windows kernel driver. Specifically, the flaw is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented system calls according to researchers. A race condition occurs when system attempts to perform two or more operations at the same time. To exploit this, a hacker could first execute the system calls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection simultaneously. When this happens, the system call NtDCompositionDiscardFrame will look for a frame to release. During that time, the hacker would execute the function DiscardAllCompositionFrames; This condition leads to a use-after-free scenario, which is a type of memory-corruption flaw that can be leveraged by hackers to execute arbitrary code.
A hacker who successfully exploits this vulnerability could run arbitrary code in kernel mode and then install programs, delete data; or create new accounts with full user rights. Hackers could run a specially crafted application that could exploit the vulnerability and take control of an affected system according to Microsoft. In order to take advantage, a hacker would first have to log on to the system. Researchers reported the flaw to Microsoft on Feb. 22. Microsoft's subsequent update, released on Patch Tuesday, addresses the vulnerability by correcting how Win32k handles objects in memory.