Posts: 15,995
Threads: 10,200
Thanks Received: 9,314 in 7,460 posts
Thanks Given: 10,253
Joined: 12 September 18
15 March 19, 08:14
(This post was last modified: 15 March 19, 08:15 by harlan4096.)
Quote:
The fourth horseman: CVE-2019-0797 vulnerability
In February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. We reported it to Microsoft on February 22, 2019. The company confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft have just released a patch, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery.
This is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows we have discovered recently using our technologies. Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.
Kaspersky Lab products detected this exploit proactively through the following technologies:
- Behavioral detection engine and Automatic Exploit Prevention for endpoint products;
- Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA).
Kaspersky Lab verdicts for the artifacts used in this and related attacks are:- HEUR:Exploit.Win32.Generic
- HEUR:Trojan.Win32.Generic
- PDM:Exploit.Win32.Generic
Continue Reading
The fourth horseman: CVE-2019-0797 vulnerability
![[Image: 190312-cve2019-0797-2.png]](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/12131015/190312-cve2019-0797-2.png)
![[-]](https://www.geeks.fyi/images/collapse.png)
