If you think it takes time for hackers to exploit a vulnerability then think again. Hacking group PowerPool took just two days to weaponise a 0-day exploit in the Windows task scheduler. It affects all versions of Windows from Windows 7 onwards. The vulnerability allows a hacker to gain elevated privileges. Last week, in its latest Patch Tuesday drop, Microsoft delivered a patch to deal with the problem.
The details of the 0-day vulnerability came from a security researcher via a tweet. The tweet pointed to a GitHub repository that contained a proof-of-concept executable for the 0-day. It also contained the source code and that, ultimately, enabled PowerPool to create its own sophisticated attack using the 0-day.
The speed with which PowerPool was able to act came as no surprise to some in the industry. Security vendor ESET was the first to report this vulnerability. In its coverage, last updated on September 11th, it says: “As one could have predicted, it took only two days before we first identified the use of this exploit in a malicious campaign from a group we have dubbed PowerPool.”
A tweet, GitHub, source code and some fast recoding
On August 27th, a tweet from vulnerability researcher SandboxEscaper exposed a problem with the Windows task scheduler SchRpcSetSecurity API. The Advanced Local Procedure Call (ALPC) interface allowed a malicious user to obtain SYSTEM privileges. Privilege escalation is something that hackers actively search for as it gives them control over systems.
To demonstrate this was a real risk, SandboxEscaper wrote a proof-of-concept. This is how security research is done. Find something, prove it is a problem and report it to a vendor. The proof and the source code were all put into a GitHub repository that was linked to the tweet. Although the tweet was quickly taken down the code had already been copied.
The seriousness of the exploit was such that just a day after it first exposed, CERT issued a notice warning people. This gave details of a possible mitigation but warned that it was not approved by Microsoft. The latest version of CERT warning contains a link to the Microsoft update for CVE-2018-8440.
One of the groups who downloaded the code was PowerPool. It took PowerPool just two days to rework the source code, add a number of new features and recompile it. According to ESET, they then used that code in a series of attacks in several countries. None of the attacks were done through mass email campaigns. Instead, it appears that they have selected their targets carefully. This seems to be an increasing tactic by hacking groups who want to stay under the radar.
ESET has given a fairly comprehensive description of PowerPool and their attacks which can be read here.
Why does this matter
This was an unplanned exposure of a vulnerability. As such, it gave hackers time to develop and distribute attacks before Microsoft could respond. Fortunately, Microsoft was able to respond in a short period and limit the impact of this disclosure.
SandboxEscaper has faced a barrage of criticism for what happened. However, as with everything there are multiple sides to a story. It seems that a previous bug reported by the researcher to Microsoft went unpatched for some time. It may be that this was why they decided to release this code publicly. We tried to contact them via social media and, so far, have had no response.
This case shows that despite all the noise over bug bounties and the top prizes on offer the system is not working well. There are private companies offering big money for 0-day exploits. Many of these then hoard them before selling them to their commercial, often government, clients. There is also a lot of money from cybergangs and hacking groups. The problem is that most researchers, no matter how much they want the money, don’t want to engage with either the private companies or the bad actors. It is clear from SandboxEscaper’s twitter feed that this is a dilemma that this researcher is struggling with.
It is time for a more open approach to dealing with bugs. Google’s Project Zero has done a lot to step up the pressure on software vendors. Perhaps it can find a better way of helping researchers earn a living without forcing them to make less palatable choices.