Privilege escalation bug becomes a case study in exploit integration and threat detection

On August 27, a researcher with the Twitter handle ‘SandboxEscaper’ kicked up a storm in the security community, as they published details of a zero-day vulnerability impacting Microsoft Windows’ Task Scheduler component.

The bug allows for privilege escalation in the scheduler’s Advanced Local Procedure Call (ALPC) interface – effectively giving an attacker administrative rights over a machine.

Rather than alerting Microsoft to the flaw, the researcher made details of the vulnerability public via social media, complete with a link to a GitHub repo containing a compiled exploit and its source code.

In a security update on Wednesday, Slovakian cybersecurity firm ESET said it took just two days before a threat group dubbed ‘PowerPool’ started to make use of the ALPC LPE zero-day, albeit in a modified form.

PowerPool’s power play

Although ESET said the campaign has impacted a small number of victims, the Task Scheduler saga has become an interesting case study that demonstrates the sheer speed with which criminals can implement newly-disclosed vulnerabilities into their campaigns.

“The disclosure of vulnerabilities outside of a coordinated disclosure process generally puts many users at risk,” warned ESET’s Matthieu Faou. “In this case, even the most up-to-date version of Windows could be compromised as no patch was released when the vulnerability and exploit were published.”

For many who watched the situation unfold over the past two weeks, the privilege escalation zero-day has become just another example of the difficulties faced by those who are tasked with combating cybersecurity threats.

Amidst the doom and gloom, however, ESET’s actions offer more than a glimmer of hope, as PowerPool’s swift integration of the flaw has been countered by the security company’s equally agile response.

ESET’s detailed security report lays out the group’s TTPs for all to see – information that will disseminate across the security landscape and, with any luck, help reduce the likelihood of the campaign spreading further.

Collaboration in the face of adversity

ESET’s latest revelations surrounding the PowerPool cybercrime campaign come less than two months after the firm was appointed to Europol’s advisory group on internet security within the agency’s European Cybercrime Centre (EC3).

Righard Zwienenberg, IT security veteran and senior research fellow at ESET, is now representing the company within the advisory group, joining counterparts from more than 20 security firms.

Since its establishment, EC3 has been involved in numerous high-profile operations and hundreds of on-the-spot operational support tasks.

The EC3 advisory group – ostensibly comprised of industry competitors – is proving to be an important tool in the fight against cybercrime. Indeed, amid an ever-evolving global threat landscape, it’s clear that collaboration between those within the security community is now more important than ever.

“We had cooperated with [EC3] before, when ESET was asked to join the effort of the disruption of the Gamarue botnet,” Zwienenberg told The Daily Swig.

“We hope that providing data from ESET Threat Intelligence will bring pieces of the puzzle on the table that by themselves are not that meaningful, but when these turn out to be a bridge between campaigns, connecting cybercrime dots.”

According to Zwienenberg, combined data can be a powerful tool, and this is something that can help protect users in the ongoing fight against cybercriminal operations.

“ESET is devoted to protect our customers,” he said. “If partnerships, either private or public, helps us to establish that goal, ESET always is interested in cooperation.”