Zero-Day Windows Task Scheduler Vulnerability Exploited by Threat Group

On August 27, a safety scientist with the online moniker SandboxEscaper found a zero-day weakness in Windows Task Scheduler (Windows 7-10) and issued a proof-of-concept exploit for the fault on GitHub. Microsoft was not alerted to the fault and was not given time to issue a solution to avoid the fault from being abused.

Obviously, the exploit is now being used by at least one hacking group to attack companies. Cybersecurity company ESET reports that a new threat group named PowerPool has been carrying out targeted attacks using the backdoor.

The fault is present in the Advanced Local Procedure Call (ALPC) of Windows Task Scheduler. If local access to an appliance is gained, it is possible to elevate rights to SYSTEM level by overwriting certain files which are not safeguarded by filesystem access control lists.

Microsoft has not yet rectified the fault – and will likely not do so until Patch Tuesday on September 11 – even though Acros Security has issued a micropatch that will block the fault from being abused. Even though the micropatch has been available for numerous days, many companies have decided to wait until Microsoft solves the problem and remain susceptible to attack.

ESET telemetry data indicates the PowePool group has already carried out attacks using a tad altered type of the proof-of-concept exploit, which was recompiled from the source code published on GitHub. Attacks have been noticed in the US, Russia, India, Ukraine, Chile, Poland, Germany, UK, and the Philippines.

In the assaults, the group uses the exploit to overwrite C:\Program Files(x86)\Google\Update\GoogleUpdate.exe to give its malware important consents on systems. According to a latest ESET report, the first stage of the attack involves offering the malware through electronic mail in a spam campaign that utilizes Symbolic Link (.slk) file attachments. The spam electronic mails are part of a targeted spear-phishing campaign, with the electronic mail attachment disguised as an invoice.

The first phase of the malware is used for reconnaissance to identify systems of interest that are worthy of a more wide-ranging compromise. If the system is of interest, the malware downloads an added module that is capable of carrying out commands on a compromised system, can download more files, upload data to the attacker’s C2 server, and can halt processes running on an infected appliance.

ESET notes that the second phase of the malware downloads a range of genuine tools which support the attackers to move laterally on the network and compromise additional appliances.

The published exploit has now been included in the attackers’ arsenal and is being utilized to increase privileges on a compromised system.  The exploit was utilized within 48 hours of it being circulated on GitHub. This is a typical example of what occurs when details of vulnerabilities are disclosed outside a coordinated disclosure procedure.