Hurricane Panda, a Chinese origin attack exploiting Zero Day vulnerability in X64 Windows systems

What is Hurricane Panda?

Security researchers at CrowdStrike have discovered a highly sophisticated attack using the Zero-day vulnerability (CVE-2014-4113) which they have named as Hurricane Panda.  The CrowdStrike researchers believe the attack to originate from Chinese cyber criminals and is targeting major infrastructure companies with a zero-day exploit in X64 based Windows systems upto Windows 7.  Further, they point out that Hurricane Panda has been actively used to mount attacks and actively exploit the vulnerability in the wild for at least five months.

CrowdStrike

CrowdStrike first detected suspicious activity on a 64-bit Windows Server 2008 R2 machine that was attributed to a compromise by some outside party. Further investigations revealed that the the attacks begin with compromising web servers and deploying Chopper webshells, and then escalating privileges using the newly discovered Local Privilege Escalation tool, which exploits a previously unknown vulnerability (now patched by Microsoft).

It elevates intruder privileges to those of the SYSTEM user, and then creates a new process with these access rights to run commands, typically intelligence-gathering activities.

Here is how it works :

Subsequent analysis of the Win64.exe binary by CrowdStrike revealed that it exploits a previously unknown vulnerability to elevate its privileges to those of the SYSTEM user and then create a new process with these access rights to run the command that was passed as argument. The file itself is just 55 kilobytes in size and contains just a few functions. Here is a high-level description of its functionality:

  • Create a memory section and store a pointer to a function that will be called from the kernel when the vulnerability is triggered
  • Utilize a memory corruption vulnerability in the window manager, simulating user interaction to invoke a callback function
  • Replace the access token pointer in the EPROCESS structure with the one from the SYSTEM process
  • Execute the command from the first argument as a new process with SYSTEM privileges

CrowdStrike believes that the hackers are not run of the mill cyber criminals but highly sophisticated cyber criminal group with some state help.  Their reason for stating this is that, normal hackers dont require privileged access to systems as they are normally after files which carry personal/financial information. In the Hurricane Panda attack, CrowdStrike observed that the cyber criminals were looking to perform more advanced cyber-espionage-related actions, such as loading a kernel driver that acts as a rootkit or conducting password dumping.  This require administrative privilege access to move around and across the network.

“Adversaries often use known privilege-escalation vulnerabilities to gain administrator-level access, but true zero-day exploits are rare and therefore particularly interesting when observed in the wild. They demonstrate that an attacker has knowledge about non-public exploitable security bugs, which usually means that the exploit was either bought from a supplier or developed in-house.”

CrowdStrike also noted that the criminal mind behind the Hurricane Panda has written the exploit code is extremely well and that it has a success rate of 100 %.  The blog also notes that the hackers may have gone through considerable effort to minimize the chance of its discovery.

One of the example of the effort taken by the makers of Hurricane Panda exploit kit  is that, the escalation tool is only deployed when absolutely necessary during the intrusion operations, and is deleted immediately after use.

CrowdStrike also uncovered that Hurricane Panda’s RAT of choice has been PlugX.  This is another reason for them to believe that the exploit has originated from Mainland China.  This particular RAT has been configured to use the DLL side-loading technique that has been recently popularized among Chinese adversaries.

Hurricane Panda is striking on a daily basis, according to CrowdStrike, and the target surface is large: the bug affects all x64 Windows variants up to and including Windows 7 and Windows Server 2008 R2. On systems with Windows 8 and later variants with Intel Ivy Bridge or later generation processors, SMEP (Supervisor Mode Execution Prevention) will block attempts to exploit the bug and result in a blue screen.

If you are subjected to this particular attack, Microsoft has addressed this exploit in the security bulletin MS14-058 and issued a patch that fixes the vulnerability.  You can download the fix from here and update your systems immediately.

Resource : CrowdStrike

LEAVE A REPLY

Please enter your comment!
Please enter your name here