CVE-2019-0797
published 2019-04-09CVE-2019-0797: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of…
PriorityP279high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
1.89%
77.0th percentile
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0808.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_10_version_1709 | — | — |
| msrc | windows_10_version_1803 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_version_1709 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for DarkPulsar's backdoor DLL loaded as a Security Support Provider (SSP/AP) inside lsass.exe via Secur32.AddSecurityPackage; the implant exports functions matching TSPI and SSPI interface names but contains malicious code. ↗
- →Monitor for hooks placed on SpAcceptLsaModeContext within msv1_0.dll, kerberos.dll, schannel.dll, wdigest.dll, and lsasrv.dll inside lsass.exe; DarkPulsar hooks these to intercept and bypass authentication. ↗
- →Detect EDFStagedUpload activity by monitoring for a persistent connection on port 445 combined with a pair of bound sockets appearing in lsass.exe, followed by a dramatic increase in network activity when PeddleCheap payload is deployed. ↗
- →DarkPulsar embeds its C2 traffic inside standard system protocols (NTLM, Kerberos, TLS/SSL, Digest, Negotiate); network activity will appear attributed to the System process using system-reserved ports, not a standalone malicious process. ↗
- ·DarkPulsar supports SMB, NBT, SSL, and RDP as delivery protocols; the protocol and port number must be specified per-command, meaning detections should cover all four protocol options. ↗
- ·Both 32-bit and 64-bit versions of the DarkPulsar backdoor exist; detections and forensic checks must cover both architectures. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Win32k Privilege Escalation Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2019-0797 [HIGH] Microsoft Win32k Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability
Affected: Microsoft Win32k
Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an attacker to execute code in kernel mode.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-0797
Remediation Due Date: 2022-05-03
Microsoft
Win32k Elevation of Privilege Vulnerability
vendor_msrc·2019-03-12·CVSS 7.0
CVE-2019-0797 [HIGH] Win32k Elevation of Privilege Vulnerability
Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how Win32k handles objects in memory.
Microsoft Graphics Component: Microsoft Graphics Component
Impact: Elevation of Pri
GHSA
GHSA-8wc3-99q7-2qvc: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2019-0808 [HIGH] GHSA-8wc3-99q7-2qvc: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0797.
GHSA
GHSA-74qg-858w-vpcj: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2019-0797 [HIGH] GHSA-74qg-858w-vpcj: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0808.
Project0
Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero
project_zero·2020-07-01
CVE-2016-5195 Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero
Posted by Maddie Stone, Project Zero
In May 2019, Project Zero released our tracking spreadsheet for 0-days used “in the wild” and we started a more focused effort on analyzing and learning from these exploits. This is another way Project Zero is trying to make zero-day hard. This blog post synthesizes many of our efforts and what we’ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. In conjunction with this blog post, we are also publishing another blog post today about our root cause analysis work that informed the conclusions in this Year in Review. We are also releasing 8 root cause analyses that we have done for in-the-wild 0-days from 2019.
When I had the idea for this “Year in Review” blog post, I immedi
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-0797 [HIGH] Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an attacker to execute code in kernel mode.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2019-Mar; https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/; https://www.niiconsulting.com/Security_Advisories/Security_Advisory_Digest_April_edition_1_digest_pdf.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://thehackernews.
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2018·CVSS 7.8
CVE-2018-8453 [HIGH] CWE-404 Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Windows Win32k contains a vulnerability that allows an attacker to escalate privileges.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2018-Oct; https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/; https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/; https://digital.nhs.uk/cyber-alerts/2019/cc-3044; https://www.cyber.nj.gov/threat-center/threat-profiles/ransomware-variants/sodinokibi; https://web.archive.org/web/20220227045141/https://riskse
No detection rules found.
No public exploits indexed.
Securelist
Lazarus APT updates its toolset in watering hole attacks
blogs_securelist·2025-04-24
Lazarus APT updates its toolset in watering hole attacks
Table of Contents
- Background
- Initial vector
- Execution flow
- First-phase malware
- Second phase malware
- The evolution of Lazarus malware
- Discoveries
- Infrastructure
- Attribution
- Victims
- Conclusion
- Indicators of Compromise
Authors
- Sojun Ryu
- Vasily Berdnikov
We have been tracking the latest attack campaign by the Lazarus group since last November, as it targeted organizations in South Korea with a sophisticated combination of a watering hole strategy and vulnerability exploitation within South Korean software. The campaign, dubbed “Operation SyncHole”, has impacted at least six organizations in South Korea’s software, IT, financial, semiconductor manufacturing, and telecommunications industries, and we are confident that many more companies have actually been compr
Securelist
The EAGERBEE backdoor may be related to the CoughingDown actor
blogs_securelist·2025-01-06
The EAGERBEE backdoor may be related to the CoughingDown actor
Table of Contents
- Introduction
- Initial infection and spread
- Malware components
- Attribution
- Conclusions
- IOC
Authors
- Saurabh Sharma
- Vasily Berdnikov
## Introduction
In our recent investigation into the EAGERBEE backdoor, we found that it was being deployed at ISPs and governmental entities in the Middle East. Our analysis uncovered new components used in these attacks, including a novel service injector designed to inject the backdoor into a running service. Additionally, we discovered previously undocumented components (plugins) deployed after the backdoor’s installation. These enabled a range of malicious activities such as deploying additional payloads, exploring file systems, executing command shells and more. The key plugins can be categorized in terms of their fun
Securelist
Lazarus targets nuclear-related organization with new malware
blogs_securelist·2024-12-19
Lazarus targets nuclear-related organization with new malware
Table of Contents
- Never giving up on their goals
- CookiePlus capable of downloading both DLL and shellcode
- Infrastructure
- Conclusion
- Indicators of compromise
Authors
- Vasily Berdnikov
- Sojun Ryu
Over the past few years, the Lazarus group has been distributing its malicious software by exploiting fake job opportunities targeting employees in various industries, including defense, aerospace, cryptocurrency, and other global sectors. This attack campaign is called the DeathNote campaign and is also referred to as “Operation DreamJob”. We have previously published the history of this campaign.
Recently, we observed a similar attack in which the Lazarus group delivered archive files containing malicious files to at least two employees associated with the same nuclear-related or
Securelist
Modern Asia APT groups TTPs
blogs_securelist·2023-11-09
Modern Asia APT groups TTPs
Authors
- Nikita Nazarov
- Kirill Mitrofanov
- Alexander Kirichenko
- Vladislav Burtsev
- Natalya Shornikova
- Vasily Berdnikov
- Sergey Kireev
Almost every quarter, someone publishes major research focusing on campaigns or incidents that involve Asian APT groups. These campaigns and incidents target various organizations from a multitude of industries. Likewise, the geographic location of victims is not limited to just one region. This type of research normally contains detailed information about the tools used by APT actors, the vulnerabilities that they exploit and sometimes even a specific attribution. Despite the large number of these types of reports, companies often remain unprepared to face these kinds of attackers. With the advanced tools and techniques used by threat actors tod
Securelist
Minas — a multi-stage cryptocurrency miner infection
blogs_securelist·2023-05-17
Minas — a multi-stage cryptocurrency miner infection
Table of Contents
- The infection chain
- Technical description
- Conclusion
- Minas indicators of compromise
Authors
- Ilya Borisov
- Vasily Berdnikov
Sometimes when investigating an infection and focusing on a targeted attack, we come across something we were not expecting. The case described below is one such occurrence.
In June 2022, we found a suspicious shellcode running in the memory of a system process. We decided to dig deeper and investigate how the shellcode was initially placed into the process and where on the infected system the threat was hidden.
## The infection chain
We were unable to reproduce the whole infection procedure, but we were able to reconstruct it from the point at which PowerShell was executed, as shown in the sceme below.
General attack execution flo
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Securelist
APT review: what the world’s threat actors got up to in 2019
blogs_securelist·2019-12-04
APT review: what the world’s threat actors got up to in 2019
Table of Contents
- Compromising supply chains
- Disinformation
- Lost in Translation and Dark Universe
- Mobile attacks
- Established threat actors continue to revamp their tools
- Evolution of the ‘newcomers’
- Privacy matters
- Final thoughts
Authors
- David Emm
What were the most interesting developments in terms of APT activity during the year and what can we learn from them?
This is not an easy question to answer, because researchers have only partial visibility and it´s impossible to fully understand the motivation for some attacks or the developments behind them. However, let´s try to approach the problem from different angles in order to get a better understanding of what happened with the benefit of hindsight and perspective.
## Compromising supply chains
Targeting supply
Securelist
APT review: what the world’s threat actors got up to in 2019
blogs_securelist·2019-12-04
APT review: what the world’s threat actors got up to in 2019
Table of Contents
Compromising supply chains
Disinformation
Lost in Translation and Dark Universe
Mobile attacks
Established threat actors continue to revamp their tools
Evolution of the ‘newcomers’
Privacy matters
Final thoughts
Authors
David Emm
What were the most interesting developments in terms of APT activity during the year and what can we learn from them?
This is not an easy question to answer, because researchers have only partial visibility and it´s impossible to fully understand the motivation for some attacks or the developments behind them. However, let´s try to approach the problem from different angles in order to get a better understanding of what happened with the benefit of hindsight and perspective.
## Compromising supply chains
Targeting supply chains has
Securelist
Platinum is back
blogs_securelist·2019-06-05
Platinum is back
Authors
- Andrey Dolgushev
- Vasily Berdnikov
- Ilya Pomerantsev
In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels. The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen steganographic technique to conceal communication.
As a first stage the operators used WMI subscriptions to run an initial PowerShell downloader which, in turn, downloaded another small PowerShell backdoor. We collected many of the initial WMI PowerShell scripts and noticed that they had different hardcoded comma
Securelist
IT threat evolution Q1 2019
blogs_securelist·2019-05-23
IT threat evolution Q1 2019
Table of Contents
- Targeted attacks and malware campaigns
- Other malware news
Authors
- David Emm
## Targeted attacks and malware campaigns
### Go Zebrocy
Zebrocy was first observed being used as a Sofacy backdoor in 2015. However, the collection of cases where this tool has been used mean that we consider it a subset of activity in its own right. On the basis of this threat actor’s past behaviour, we predicted last year that Zebrocy would continue to innovate in its malware development. The group has developed using Delphi, AutoIT, .NET, C# and PowerShell. Since May 2018, Zebrocy has added the “Go” language to its arsenal – the first time that we have observed a well-known APT threat actor deploy malware with this compiled open-source language.
Zebrocy continues to target governm
Securelist
IT threat evolution Q1 2019
blogs_securelist·2019-05-23
IT threat evolution Q1 2019
Table of Contents
Targeted attacks and malware campaigns
Go Zebrocy
GreyEnergy overlap with Zebrocy
Chafer uses Remexi malware to spy on Iran-based diplomatic agencies
New zero-day vulnerability exploited by APT threat actors
Lazarus continues to target crypto-currency exchanges
Under the [Shadow]Hammer
Other malware news
Razy Trojan steals crypto-currency
Turning ATMs into slot machines
Pirate Matryoshka
Mirai now used to target enterprise devices
‘Collection #1’ and other data leaks
Social engineering
LockerGoga ransomware attacks
19-year-old bug in WinRAR
The internet of secure, and not so secure, things
Authors
David Emm
## Targeted attacks and malware campaigns
## Go Zebrocy
Zebrocy was first observed being used as a Sofacy backdoor in 2015. However, the collecti
Securelist
IT threat evolution Q1 2019. Statistics
blogs_securelist·2019-05-23
IT threat evolution Q1 2019. Statistics
Table of Contents
- Quarterly figures
- Mobile threats
- Attacks on Apple macOS
- IoT attacks
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Boris Larin
- Oleg Kupreev
- Evgeny Lopatin
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network,
- Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.
- 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed t
Securelist
APT trends report Q1 2019
blogs_securelist·2019-04-30
APT trends report Q1 2019
Authors
GReAT
For just under two years, the Global Research and Analysis Team (GReAT) at Kaspersky Lab has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q1 2019.
Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘[email protected]’.
## The most remarkable finding
Targeting supply-chains has pro
Securelist
APT trends report Q1 2019
blogs_securelist·2019-04-30
APT trends report Q1 2019
Authors
- GReAT
For just under two years, the Global Research and Analysis Team (GReAT) at Kaspersky Lab has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q1 2019.
Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘[email protected]’.
## The most remarkable finding
Targeting supply-chains has p
Securelist
New win32k zero day: CVE-2019-0859
blogs_securelist·2019-04-15·CVSS 7.8
CVE-2019-0859 [HIGH] New win32k zero day: CVE-2019-0859
Authors
- Vasily Berdnikov
- Boris Larin
- Anton Ivanov
In March 2019, our automatic Exploit Prevention (EP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. It was the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered in recent months using our technologies. The previous ones were:
- Zero-day exploit (CVE-2018-8453) used in targeted attacks
- A new exploit for zero-day vulnerability CVE-2018-8589
- Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)
- The fourth horseman: CVE-2019-0797 vulnerability
On March 17, 2019 we reported our discovery to Microsoft; the company confirmed the
Securelist
New zero-day vulnerability CVE-2019-0859 in win32k.sys
blogs_securelist·2019-04-15·CVSS 7.8
[HIGH] New zero-day vulnerability CVE-2019-0859 in win32k.sys
Authors
Vasily Berdnikov
Boris Larin
Anton Ivanov
In March 2019, our automatic Exploit Prevention (EP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. It was the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered in recent months using our technologies. The previous ones were:
Zero-day exploit (CVE-2018-8453) used in targeted attacks
A new exploit for zero-day vulnerability CVE-2018-8589
Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)
The fourth horseman: CVE-2019-0797 vulnerability
On March 17, 2019 we reported our discovery to Microsoft; the company confirmed the vulnerab
Securelist
The fourth horseman: CVE-2019-0797 vulnerability | Securelist
blogs_securelist·2019-03-13·CVSS 7.8
CVE-2019-0797 [HIGH] The fourth horseman: CVE-2019-0797 vulnerability | Securelist
Authors
- Vasily Berdnikov
- Boris Larin
## The new zero-day in the Windows OS exploited in targeted attacks
In February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. We reported it to Microsoft on February 22, 2019. The company confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft have just released a patch, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery:
This is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows we have discovered recently using our technologies. Just like with CVE-2018-8589, we believe this
Securelist
The fourth horseman: CVE-2019-0797 vulnerability
blogs_securelist·2019-03-13·CVSS 7.8
CVE-2019-0797 [HIGH] The fourth horseman: CVE-2019-0797 vulnerability
Authors
Vasily Berdnikov
Boris Larin
## The new zero-day in the Windows OS exploited in targeted attacks
In February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. We reported it to Microsoft on February 22, 2019. The company confirmed the vulnerability and assigned it CVE-2019-0797 . Microsoft have just released a patch, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery:
This is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows we have discovered recently using our technologies. Just like with CVE-2018-8589 , we believe this
Krebs
Patch Tuesday, March 2019 Edition
blogs_krebs·2019-03-13·CVSS 7.8
[HIGH] Patch Tuesday, March 2019 Edition
Microsoft on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its Windows operating systems, Internet Explorer , Edge , Office and Sharepoint . If you (ab)use Microsoft products, it’s time once again to start thinking about getting your patches on. Malware or bad guys can remotely exploit roughly one-quarter of the flaws fixed in today’s patch batch without any help from users.
One interesting patch from Microsoft this week comes in response to a zero-day vulnerability ( CVE-2019-0797 ) reported by researchers at Kaspersky Lab, who discovered the bug could be (and is being) exploited to install malicious software.
Microsoft also addressed a zero day flaw ( CVE-2019-0808 ) in Windows 7 and Windows Server 2008 that’s been abused in conjunction wit
Securelist
DarkPulsar FAQ
blogs_securelist·2018-10-19
DarkPulsar FAQ
Authors
- Andrey Dolgushev
- Dmitry Tarakanov
- Vasily Berdnikov
## What’s it all about?
In March 2017, a group of hackers calling themselves “the Shadow Brokers” published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch. The Fuzzbunch framework contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. In pair, it is a very powerful platform for cyber-espionage.
## How was this implant discovered?
We always analyze all leaks containing malicious software to provide the best detection. The same happened after the “Lost in Translation” leak was revealed. We noticed that this leak contained a tool in the
Securelist
DarkPulsar
blogs_securelist·2018-10-19
DarkPulsar
Authors
- Andrey Dolgushev
- Dmitry Tarakanov
- Vasily Berdnikov
In March 2017, the ShadowBrokers published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch.
DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.
DanderSprit interface
Fuzzbunch on the other hand provides a framework for different utilities to interact and work together. It contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. There are
Securelist
The Slingshot APT FAQ
blogs_securelist·2018-03-09
The Slingshot APT FAQ
Authors
- Alexey Shulmin
- Sergey Yunakovsky
- Vasily Berdnikov
- Andrey Dolgushev
While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.
The initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others.
- Vulnerabilities and exploits
Securelist
A simple example of a complex cyberattack
blogs_securelist·2017-09-25·CVSS 7.8
[HIGH] A simple example of a complex cyberattack
Authors
- Vasily Berdnikov
- Dmitry Karasovsky
- Alexey Shulmin
## How cyberspies achieve their goals by using cheap tools and careful aiming
We’re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago – we named it ‘Microcin’ after microini, one of the malicious components used in it.
We detected a suspicious RTF file. The document contained an exploit to the previously known and patched vulnerability CVE-2015-1641; however, its code had been modified considerably. Remarkably, the malicious document was delivered via
Zscaler
Zscaler found Multiple Security Vulnerabilities | 03-12-201
blogs_zscaler·CVSS 7.5
[HIGH] Zscaler found Multiple Security Vulnerabilities | 03-12-201
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
2019-04-09
Published
2021-11-03
Added to CISA KEV
Exploited in the wild