An advanced group of hackers thought to be from China have been found utilizing a Windows zero-day bug in a spate of attacks towards technology infrastructure companies all over the world.
The vulnerability is among three privilege escalation issues the attackers utilized within their campaign.
CrowdStrike initially discovered the attacks in early spring, when the team was found on a victim’s system. As soon as the attackers were halted, they continued to try to restore access on a regular basis.
“These attempts begin with compromising web servers and deploying Chopper webshells and then moving laterally and escalating privileges using the newly discovered Local Privilege Escalation tool,” Dmitri Alperovitch, CTO of CrowdStrike writes in a blog post.
“Their RAT of choice has been PlugX configured to use the DLL side-loading technique that has been recently popularized among Chinese adversaries,” he continues. “Perhaps their most outstanding technique has been the use of free DNS services provided by Hurricane Electric to return an attacker-controlled IP address for lookups for popular third-party domain names. Hurricane Panda is known to use the ‘ChinaChopper’ Webshell, a common initial foothold for many different actors. Once uploading this webshell, the actor will typically attempt to escalate privileges and then use a variety of password dumping utilities to obtain legitimate credentials for use in accessing their intelligence objectives.”
The zero-day reported by CrowdStrike have also been reported by FireEye, and affects all x64 Windows versions up to and including Windows 7 and Windows Server 2008 R2. On systems with Windows 8 and later variants with Intel Ivy Bridge or later generation processors, SMEP (Supervisor Mode Execution Prevention) will block attempts to exploit the bug and result in a blue screen, Alperovitch says.
“The exploit code is extremely well and efficiently written, and it is 100 percent reliable,” he said. “The adversary has gone through considerable effort to minimize the chance of its discovery — the win64.exe tool was only deployed when absolutely necessary during the intrusion operations and it was deleted immediately after use. The build timestamp of the Win64.exe binary of May 3, 2014 suggests that the vulnerability was actively exploited in the wild for at least five months.”