Threat Signal Report

Attacks Observed in the Wild Exploiting CVE-2019-1458 (Win32k Elevation of Privilege Vulnerability)

Description

The FortiGuard SE team is aware of recent events affecting CVE-2019-1458 (Win32k Elevation of Privilege Vulnerability) which affects multiple Microsoft Windows platforms. According to reports, exploitation was observed in the wild and is linked to the actor behind the recent "Operation WizardOpium" attacks. There are no known connections to a specific threat actor at this time; however, there were observed tactics such as code reuse (Lazarus) and a watering hole attack (DarkHotel) which exhibited some similarity to these previous attacks and attackers. These could be false flag attempts by the attacker as well.

Microsoft has addressed CVE-2019-1458 in the December 2019 Patch Tuesday release.


What is the vulnerability specifically?

The vulnerability is an elevation of privilege exploit (EoP) discovered by researchers at Kaspersky, and while researching another separate vulnerability; in the Chrome browser. Exploitation of this was twofold, first leveraging a 0-day attack on the Chrome browser which was exploited and embedded within, the EoP exploit for CVE-2019-1458. Exploitation involves two stages, a small PE loader and the exploit.

Exploitation starts with rudimentary read and write via the browser via vulnerable JavaScript and at this point the PE exploit will corrupt pointers in memory to ultimately redirect code execution to the PE loader. This is ultimately to bypass various sandbox restrictions as the PE loader itself is unable to start a new process without using nonnative WinAPI functions.

Once the exploitation chain is successful, the PE loader will locate an embedded DLL file that contains the exploit and will repeat the same process as the native Windows PE loader performing various functions. Once this is complete, code execution is redirected to the DLL entry point. After this, the PE code creates a new thread, which is an entry point for the exploit, and the main thread will wait until the thread is finished.


It appears that Microsoft issued an update for CVE-2019-1948, does this address the vulnerability?

Yes.


What platforms are affected?

Windows operating systems. Specifically, various versions of Windows 10, 8, 7, RT and Windows Server 2016, 2012, and 2008 versions. Please refer to the CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability link in the APPENDIX for further details.


Has there been any observed in the wild attacks?

Yes. There have been in the wild attacks have been observed.


Has there been any attribution made toward the threat actors?

There are some overlaps with Lazarus and DarkHotel. However, this is a loose assumption due to code similarities and possible reuse in Lazarus that might signify a connection or was inserted on purpose as a false flag effort. The structure of the Korean website exhibits similarity


What is the status of AV and IPS coverage?

FortiGuard Labs has protections in place for this specific vulnerability and customers running the latest version of definitions are protected by the following IPS signature:

MS.Windows.CVE-2019-1458.Privilege.Elevation

AV coverage for this event is not feasible.


MITRE ATT&CK

ID: T1068

Tactic: Privilege Escalation

Platform: Linux, macOS, Windows

System Requirements: In the case of privilege escalation, the adversary likely already has user permissions on the target system.

Permissions Required: User

Effective Permissions: User

Data Sources: Windows Error Reporting, Process monitoring, Application logs

Version: 1.1


Telemetry


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.