Attacks Observed in the Wild Exploiting CVE-2019-1458 (Win32k Elevation of Privilege Vulnerability)

Description

The FortiGuard SE team is aware of recent events affecting CVE-2019-1458 (Win32k Elevation of Privilege Vulnerability) which affects multiple Microsoft Windows platforms. According to reports, exploitation was observed in the wild and is linked to the actor behind the recent "Operation WizardOpium" attacks. There are no known connections to a specific threat actor at this time; however, there were observed tactics such as code reuse (Lazarus) and a watering hole attack (DarkHotel) which exhibited some similarity to these previous attacks and attackers. These could be false flag attempts by the attacker as well.

Microsoft has addressed CVE-2019-1458 in the December 2019 Patch Tuesday release.


What is the vulnerability specifically?

The vulnerability is an elevation of privilege exploit (EoP) discovered by researchers at Kaspersky, and while researching another separate vulnerability; in the Chrome browser. Exploitation of this was twofold, first leveraging a 0-day attack on the Chrome browser which was exploited and embedded within, the EoP exploit for CVE-2019-1458. Exploitation involves two stages, a small PE loader and the exploit.

Exploitation starts with rudimentary read and write via the browser via vulnerable JavaScript and at this point the PE exploit will corrupt pointers in memory to ultimately redirect code execution to the PE loader. This is ultimately to bypass various sandbox restrictions as the PE loader itself is unable to start a new process without using nonnative WinAPI functions.

Once the exploitation chain is successful, the PE loader will locate an embedded DLL file that contains the exploit and will repeat the same process as the native Windows PE loader performing various functions. Once this is complete, code execution is redirected to the DLL entry point. After this, the PE code creates a new thread, which is an entry point for the exploit, and the main thread will wait until the thread is finished.


It appears that Microsoft issued an update for CVE-2019-1948, does this address the vulnerability?

Yes.


What platforms are affected?

Windows operating systems. Specifically, various versions of Windows 10, 8, 7, RT and Windows Server 2016, 2012, and 2008 versions. Please refer to the CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability link in the APPENDIX for further details.


Has there been any observed in the wild attacks?

Yes. There have been in the wild attacks have been observed.


Has there been any attribution made toward the threat actors?

There are some overlaps with Lazarus and DarkHotel. However, this is a loose assumption due to code similarities and possible reuse in Lazarus that might signify a connection or was inserted on purpose as a false flag effort. The structure of the Korean website exhibits similarity


What is the status of AV and IPS coverage?

FortiGuard Labs has protections in place for this specific vulnerability and customers running the latest version of definitions are protected by the following IPS signature:

MS.Windows.CVE-2019-1458.Privilege.Elevation

AV coverage for this event is not feasible.


MITRE ATT&CK

ID: T1068

Tactic: Privilege Escalation

Platform: Linux, macOS, Windows

System Requirements: In the case of privilege escalation, the adversary likely already has user permissions on the target system.

Permissions Required: User

Effective Permissions: User

Data Sources: Windows Error Reporting, Process monitoring, Application logs

Version: 1.1


Telemetry