While Microsoft is still working on fixing a recently disclosed privilege escalation vulnerability in Windows, security firm ACROS Security has stepped in to provide a temporary patch for the flaw.
The unofficial fix is available through 0patch.com, a service through which ACROS Security develops so-called micropatches for zero-day and other critical vulnerabilities in widely used software programs, including end-of-life products. These micropatches are applied directly in memory by a lightweight 0patch Windows agent that requires a free account to use.
“Validated and verified, our micropatch for @SandboxEscaper’s LPE in Task Scheduler is now published and freely available for everyone to use,” the company announced on Twitter.
The patch is currently available for 64-bit versions of Windows 10 1803 (April 2018 Update), but ACROS plans to also release a patch for Windows Server 2016 and is welcoming suggestions for other versions of Windows that it should support.
Earlier this week, someone with the Twitter username SandboxEscaper released an exploit for a previously unknown vulnerability in the Windows task scheduler’s Advanced Local Procedure Call (ALPC) interface. The exploit can be used by malicious code running under a limited account to gain full SYSTEM privileges and take control over the computer.
While initially confirmed to work on 64-bit versions of Windows 10, security researchers believe that with minor tweaks the exploit could also work on 32-bit builds. Microsoft’s upcoming Patch Tuesday is Sept. 11; it’s unclear if the company plans to release an out-of-band patch for this flaw.
It’s likely that hackers will start using the working proof-of-concept exploit in attacks until then, so companies running critical servers and systems might not want to wait until Patch Tuesday for a fix. Without any other workaround available, ACROS’ micropatch could be an important alternative.
The company’s 0patch agent is designed to apply and remove micropatches without requiring system reboots and downtime. However, as always, users should thoroughly test patches for incompatibilities before deploying them on critical production systems.
Cryptomining Threat Actor Rocke Becomes More Aggressive
A hacker group known for exploiting vulnerabilities in web-based applications to install cryptocurrency miners on servers has recently adopted social engineering techniques and various other malware tools.
Tracked as Rocke, the group has been active since at least 2018 and has been breaking into servers by exploiting known critical vulnerabilities in Apache Struts, Oracle WebLogic and Adobe ColdFusion.
The group’s modus operandi involves hosting shell scripts and cryptocurrency malware on source code repositories on China-based Gitee and GitLab. More recently, the group has also served malicious files from HttpFileServers (HFS) and GitHub.
The group also appears interested in security research, as they have forked repositories containing exploit information related to Apache Struts, JBoss and the Shadow Brokers. They’ve also shown interest in open source security tools such as IP scanners, proxies and brute-forcers, the Talos researchers said.
The expansion of the group’s toolset and capabilities has been observed in recent attacks on Windows systems, where attackers created a file that shares similarities to Cobalt Strike, a popular penetration testing software that has also been abused by other hacker groups.
“Despite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating,” the Talos researchers said. “Rocke’s various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals.”