Do you really think crims would do that? Just go on the 'net and exploit a Windows zero-day?

No official patch for under-attack ALPC vuln – so grab these mitigations instead

The Windows ALPC security hole that emerged early last week remains unpatched, even though it is being actively exploited by hackers to gain total control over PCs.

As we reported at the end of August, a person behind the now-deleted Twitter account SandboxEscaper publicly revealed the system-level privilege escalation zero-day bug in Windows Advanced Local Procedure Call (ALPC) in all versions from Windows 7 to Windows 10. SandboxEscaper also released example exploit code for the programming blunder – a recipe for miscreants to use to fully commandeer compromised computers.

Now, ESET's Matthieu Faou has disclosed on Wednesday that a group of miscreants called PowerPool is actively exploiting the bug to move from hijacked user accounts to full system administrator-level control of already infiltrated Windows boxes.

“As one could have predicted, it took only two days before we first identified the use of this exploit in a malicious campaign from a group we have dubbed PowerPool,” said Faou.

So far, the set of victims is small, we're told. The gang has been going after targets in Chile, Germany, India, the Philippines, Poland, Russia, the UK, America, and Ukraine, ESET reckoned.

The PowerPool crooks modified and recompiled SandboxEscaper's proof-of-concept source code, Faou wrote, and used it to replace GoogleUpdate.exe – Google's software updater – on compromised machines so that the next time it is automatically run, it is overwritten by a second stage and gains system-level privileges via the ALPC hole.

The malicious code then opens a “reconnaissance” backdoor and takes screenshots to send to its command and control server. A second-stage backdoor – which Faou described as “clearly not a state-of-the-art backdoor” – is also opened that can execute arbitrary commands from its masters, kill processes, upload and download files, and list folders' contents.

The miscreants also deploy PowerShell tools to retrieve usernames and login hashes from the Security Account Manager; a post-exploitation framework dubbed PowerSploit; SMBExec for running SMB connections; Quarks PwDump to retrieve Windows credentials; and FireMaster, an executable that retrieves passwords stored by Outlook and web browsers.


Windows 0-day pops up out of nowhere Twitter


Anti-malware toolmaker Barkly's Jonathan Crowe explained the steps taken by the original exploit example code: it creates an UpdateTask.job task, something that ordinary users can do, but instead of an ordinary file it's a hard link to a system file such as PrintConfig.dll, which only system-level users are supposed to be able to modify or replace.

Task Scheduler's SchRpcSetSecurity is called to change permissions on the UpdateTask.job so anyone can modify it, and this “actually changes permissions of the linked-to PrintConfig.dll file, which thus becomes user-modifiable,” we're told.

The example exploit used this to replace PrintConfig.dll with a DLL that launched Notepad, and then triggered the Print Spooler service to run PrintConfig.dll “using its own Local System identity."

The good news is that, in the absence of a patch from Microsoft, there are mitigations to hand, even if your antivirus isn't watching for attacks.

Crowe noted that Clever IT's Karsten Nilsen and Google Project Zero researcher James Forshaw both suggest using access controls to defeat the bug. Their cure is to prevent anyone writing to the C:\Windows\Tasks directory.

Influential UK infosec geezer Kevin Beaumont has also written up how to put in place rules that will detect attempted exploits. 0patch also has a micropatch for the bug. ®

Similar topics

Other stories you might like

  • It's 2022 and there are still malware-laden PDFs in emails exploiting bugs from 2017
    Crafty file names, encrypted malicious code, Office flaws – ah, it's like the Before Times

    HP's cybersecurity folks have uncovered an email campaign that ticks all the boxes: messages with a PDF attached that embeds a Word document that upon opening infects the victim's Windows PC with malware by exploiting a four-year-old code-execution vulnerability in Microsoft Office.

    Booby-trapping a PDF with a malicious Word document goes against the norm of the past 10 years, according to the HP Wolf Security researchers. For a decade, miscreants have preferred Office file formats, such as Word and Excel, to deliver malicious code rather than PDFs, as users are more used to getting and opening .docx and .xlsx files. About 45 percent of malware stopped by HP's threat intelligence team in the first quarter of the year leveraged Office formats.

    "The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures," Patrick Schläpfer, malware analyst at HP, explained in a write-up, adding that in this latest campaign, "the malware arrived in a PDF document – a format attackers less commonly use to infect PCs."

    Continue reading
  • New audio server Pipewire coming to next version of Ubuntu
    What does that mean? Better latency and a replacement for PulseAudio

    The next release of Ubuntu, version 22.10 and codenamed Kinetic Kudu, will switch audio servers to the relatively new PipeWire.

    Don't panic. As J M Barrie said: "All of this has happened before, and it will all happen again." Fedora switched to PipeWire in version 34, over a year ago now. Users who aren't pro-level creators or editors of sound and music on Ubuntu may not notice the planned change.

    Currently, most editions of Ubuntu use the PulseAudio server, which it adopted in version 8.04 Hardy Heron, the company's second LTS release. (The Ubuntu Studio edition uses JACK instead.) Fedora 8 also switched to PulseAudio. Before PulseAudio became the standard, many distros used ESD, the Enlightened Sound Daemon, which came out of the Enlightenment project, best known for its desktop.

    Continue reading
  • VMware claims 'bare-metal' performance from virtualized Nvidia GPUs
    Is... is that why Broadcom wants to buy it?

    The future of high-performance computing will be virtualized, VMware's Uday Kurkure has told The Register.

    Kurkure, the lead engineer for VMware's performance engineering team, has spent the past five years working on ways to virtualize machine-learning workloads running on accelerators. Earlier this month his team reported "near or better than bare-metal performance" for Bidirectional Encoder Representations from Transformers (BERT) and Mask R-CNN — two popular machine-learning workloads — running on virtualized GPUs (vGPU) connected using Nvidia's NVLink interconnect.

    NVLink enables compute and memory resources to be shared across up to four GPUs over a high-bandwidth mesh fabric operating at 6.25GB/s per lane compared to PCIe 4.0's 2.5GB/s. The interconnect enabled Kurkure's team to pool 160GB of GPU memory from the Dell PowerEdge system's four 40GB Nvidia A100 SXM GPUs.

    Continue reading

Biting the hand that feeds IT © 1998–2022