Unofficial Patch Available for Latest Windows Zero-Day Exploit

While Microsoft is still working on fixing a recently disclosed privilege escalation vulnerability in Windows, security firm ACROS Security has stepped in to provide a temporary patch for the flaw.

The unofficial fix is available through 0patch.com, a service through which ACROS Security develops so-called micropatches for zero-day and other critical vulnerabilities in widely used software programs, including end-of-life products. These micropatches are applied directly in memory by a lightweight 0patch Windows agent that requires a free account to use.

“Validated and verified, our micropatch for @SandboxEscaper’s LPE in Task Scheduler is now published and freely available for everyone to use,” the company announced on Twitter.

The patch is currently available for 64-bit versions of Windows 10 1803 (April 2018 Update), but ACROS plans to also release a patch for Windows Server 2016 and is welcoming suggestions for other versions of Windows that it should support.

Earlier this week, someone with the Twitter username SandboxEscaper released an exploit for a previously unknown vulnerability in the Windows task scheduler’s Advanced Local Procedure Call (ALPC) interface. The exploit can be used by malicious code running under a limited account to gain full SYSTEM privileges and take control over the computer.

While initially confirmed to work on 64-bit versions of Windows 10, security researchers believe that with minor tweaks the exploit could also work on 32-bit builds. Microsoft’s upcoming Patch Tuesday is Sept. 11; it’s unclear if the company plans to release an out-of-band patch for this flaw.

It’s likely that hackers will start using the working proof-of-concept exploit in attacks until then, so companies running critical servers and systems might not want to wait until Patch Tuesday for a fix. Without any other workaround available, ACROS’ micropatch could be an important alternative.

The company’s 0patch agent is designed to apply and remove micropatches without requiring system reboots and downtime. However, as always, users should thoroughly test patches for incompatibilities before deploying them on critical production systems.

Cryptomining Threat Actor Rocke Becomes More Aggressive

A hacker group known for exploiting vulnerabilities in web-based applications to install cryptocurrency miners on servers has recently adopted social engineering techniques and various other malware tools.

Tracked as Rocke, the group has been active since at least 2018 and has been breaking into servers by exploiting known critical vulnerabilities in Apache Struts, Oracle WebLogic and Adobe ColdFusion.

The group’s modus operandi involves hosting shell scripts and cryptocurrency malware on source code repositories on China-based Gitee and GitLab. More recently, the group has also served malicious files from HttpFileServers (HFS) and GitHub.

“The files within their various repositories show that Rocke has become interested in browser-based JavaScript mining through the tool CryptoNote, as well as browser-based exploitation through the Browser Exploitation Framework,” security researchers from Cisco Systems’ Talos team said in a blog post about the group’s most recent attacks. “It appears that they are relying on fake Google Chrome alerts, fake apps, and fake Adobe Flash updates to social engineer users into downloading malicious payloads.”

The group also appears interested in security research, as they have forked repositories containing exploit information related to Apache Struts, JBoss and the Shadow Brokers. They’ve also shown interest in open source security tools such as IP scanners, proxies and brute-forcers, the Talos researchers said.

The expansion of the group’s toolset and capabilities has been observed in recent attacks on Windows systems, where attackers created a file that shares similarities to Cobalt Strike, a popular penetration testing software that has also been abused by other hacker groups.

“Despite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating,” the Talos researchers said. “Rocke’s various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals.”

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin