The Windows ALPC security hole that emerged early last week remains unpatched, even though it is being actively exploited by hackers to gain total control over PCs.
As we reported at the end of August, a person behind the now-deleted Twitter account SandboxEscaper publicly revealed the system-level privilege escalation zero-day bug in Windows Advanced Local Procedure Call (ALPC) in all versions from Windows 7 to Windows 10. SandboxEscaper also released example exploit code for the programming blunder – a recipe for miscreants to use to commandeer compromised computers.
Now, ESET’s Matthieu Faou has disclosed on Wednesday that a group of miscreants called PowerPool is actively exploiting the bug to move from hijacked user accounts to full system administrator-level control of already infiltrated Windows boxes.
“As one could have predicted, it took only two days before we first identified the use of this exploit in a malicious campaign from a group we have dubbed PowerPool,” said Faou.
So far, the set of victims is small, we’re told. The gang has been going after targets in Chile, Germany, India, the Philippines, Poland, Russia, the UK, America, and Ukraine, ESET reckoned.
The PowerPool crooks modified and recompiled SandboxEscaper’s proof-of-concept source code, Faou wrote, and used it to replace GoogleUpdate.exe – Google’s software updater – on compromised machines so that the next time it is automatically run, it is overwritten by a second stage and gains system-level privileges via the ALPC hole.
The malicious code then opens a “reconnaissance” backdoor and takes screenshots to send to its command and control server. A second-stage backdoor – which Faou described as “clearly not a state-of-the-art backdoor” – is also opened that can execute arbitrary commands from its masters, kill processes, upload and download files, and list folders’ contents.
The miscreants also deploy PowerShell tools to retrieve usernames and login hashes from the Security Account Manager; a post-exploitation framework dubbed PowerSploit; SMBExec for running SMB connections; Quarks PwDump to retrieve Windows credentials; and FireMaster, an executable that retrieves passwords stored by Outlook and web browsers.
Windows 0-day pops up out of nowhere Twitter
Anti-malware toolmaker Barkly’s Jonathan Crowe explained the steps taken by the original exploit example code: it creates an
UpdateTask.job task, something that ordinary users can do, but instead of an ordinary file it’s a hard link to a system file such as
PrintConfig.dll, which only system-level users are supposed to be able to modify or replace.
SchRpcSetSecurity is called to change permissions on the
UpdateTask.job so anyone can modify it, and this “actually changes permissions of the linked-to
PrintConfig.dll file, which thus becomes user-modifiable,” we’re told.
The example exploit used this to replace
PrintConfig.dll with a DLL that launched Notepad, and then triggered the Print Spooler service to run
PrintConfig.dll “using its own Local System identity.”
The good news is that, in the absence of a patch from Microsoft, there are mitigations to hand, even if your antivirus isn’t watching for attacks.
Crowe noted that Clever IT’s Karsten Nilsen and Google Project Zero researcher James Forshaw both suggest using access controls to defeat the bug. Their cure is to prevent anyone writing to the