Hackers claim to have unearthed a zero-day vulnerability giving attackers admin rights to any Windows machine from Windows 2000 to a fully patched version of Windows 10. The zero day is for sale on the black market for $90,000.
Security experts say the zero-day exploit looks legitimate and in the wrong hands could be an extremely effective tool for hackers who already have a foothold in an existing computer network.
“A cyber gang would be eager to use this to leverage malware and ransomware to get a much better ROI by combining exploits,” said Ziv Mador VP of security research at Trustwave in an interview with Threatpost. “Also, any nation state type APT attack would easily see this as key tool in sophisticated network penetration.”
Trustwave underscores there is no way to know with absolute certainty if the zero day is legitimate without purchasing the exploit. However, Mador said there are a number of strong indicators that the exploit is legit, such as the seller offering the use of an independent escrow agent to verify the exploit works before payment is made.
Other indicators include two videos that accompany the hacker’s for-sale listing that show the vulnerability in action. One video shows the exploit successfully bypassing all of Microsoft Windows’ Enhanced Mitigation Experience Toolkit (EMET) protections for the latest version of Windows. The second video shows a fully updated Windows 10 machine being exploited successfully, by elevating the CMD EXE process to the SYSTEM account.
In both instances, the hacker successfully exploited a local privilege escalation vulnerability in Windows. The listing for the exploit describes itself as an “exploit for local privilege escalation (LPE) for a 0day vulnerability in win32k.sys. The vulnerability exists in the incorrect handling of window objects, which have certain properties, and [the vulnerability] exists in all OS [versions], starting from Windows 2000,” according to the seller.
The zero day was noticed by Trustwave on May 11 on the underground site exploit[dot]in by a seller using the handle “BuggiCorp”. The exploit will be sold exclusively to one buyer, according to the posting. Originally the seller offered to sell the zero day for $95,000, but has since dropped the price to $90,000.
“For this type of capability $95,000 USD does sound reasonable. These are relatively rare, and take a degree of expertise to develop, thus they are valuable to attackers and defenders alike,” said Logan Brown, president Exodus Intelligence, that runs its own vulnerability purchasing program, among other offerings.
Microsoft did not return requests to comment for this report. However, Microsoft has spoken out publicly acknowledging the zero day listing’s existence, but has stressed it cannot verify the authenticity of the claim. In a statement on Krebs On Security, a cybersecurity strategist with Microsoft Jeff Jones pointed out that Microsoft has a bug bounty program that is offering a reward of between $50,000 and $100,000 for an exploit capable of bypassing its EMET safeguards (something that this exploit does).
The exploit, according to a Trustwave post by its SpiderLabs blog, has capabilities that include taking a compromised sandbox environment and converting it into a remote code execution springboard for entire system takeover. Additional exploit capabilities include the installing of a root kit, limited control over a web server, use on a POS systems and steal credit card data and the additional installation of malicious software on systems, according to Trustwave.