Discovery marks the fourth Microsoft zero-day found by Kaspersky Lab being used in the wild
Woburn, MA – March 13, 2019 –Kaspersky Lab has detected a new vulnerability in Microsoft Windows, believed to have been used in targeted attacks by at least two threat actors, including the recently discovered SandCat. This is the fourth Windows zero-day exploit that Kaspersky Lab’s Automatic Exploit Prevention technology has discovered being used in the wild. The company reported the vulnerability, allocated CVE-2019-0797, and Microsoft has released a patch.
Zero-day vulnerabilities are previously unknown software bugs that can be exploited by attackers to breach a victim’s device and network. This newly discovered exploit uses a vulnerability in Microsoft Windows’ graphic subsystem to achieve local privilege escalation. This provides the attacker with full control over a victim’s computer. The malware sample examined by Kaspersky Lab researchers revealed that this exploit targets Windows 8 through Windows 10.
The researchers believe that several threat actors, including FruityArmor and SandCat, may have used the detected exploit. FruityArmor is known to have used zero-days in the past, while SandCat is a new threat actor, discovered only recently.
“The discovery of a new Windows zero-day being actively exploited in the wild shows that such expensive and rare tools remain of great interest to threat actors, and organizations need security solutions that can protect against such unknown threats,” said Anton Ivanov, security expert at Kaspersky Lab. “It also reaffirms the importance of collaboration between the security industry and software developers; bug hunting, responsible disclosure and prompt patching are the best ways of keeping users safe from new and emerging threats.”
The exploited vulnerability was detected by Kaspersky Lab’s Automatic Exploit Prevention technology, embedded in most of the company’s products.
Kaspersky Lab products detect the exploit as:
- HEUR:Exploit.Win32.Generic
- HEUR:Trojan.Win32.Generic
- PDM:Exploit.Win32.Generic
Kaspersky Lab recommends the following security measures for organizations to protect against zero-day threats:
- Install Microsoft’s patch for the new vulnerability as soon as possible.
- Regularly update all software used in your organization, and whenever a new security patch is released. Security products with Vulnerability Assessment and Patch Management capabilities may help automate this process.
- Install a proven security solution, such as Kaspersky Endpoint Security, that is equipped with behavior-based detection capabilities for effective protection against known and unknown threats, including exploits.
- Ensure your security team has access to the most recent cyber threat intelligence. Private reports on the latest developments in the threat landscape are available to customers of Kaspersky Intelligence Reporting. For further details, contact: intelreports@kaspersky.com.
Further analysis of the newly discovered exploit is available in the full report on Securelist. To take a closer look at the technologies that detected this exploit and other Microsoft Windows zero-days, a Kaspersky Lab webinar is available to view on demand.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 21 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Media Contact
Meghan Rimol
meghan.rimol@kaspersky.com
781.503.2671
