Hackers have used a Windows zero-day escalation vulnerability to target more than 100 companies in North America. This was a very elaborate operation that hit businesses mainly in the hospitality, restaurant and retail sector during March. Security experts at FireEye assess that the group behind this exploit are very organized.
The attacks were initiated using spear-phishing, sending targeted e-mails and Word documents containing malicious macros to insert Punchbuggy; this DLL downloader gave access to the infected computer and free reign to roam the connected networks. Point-of-sale (PoS) malware was also deployed that FireEye are calling Punchtrack as this was used to steal bank card details from Tracks 1 and 2 (most cards have two ‘tracks’ on the magnetic strip – each of these contains enough customer data to complete transactions). The sophistication of this attack is that Punchtrack is launched very discreetly and is highly evasive – it never operates from the infected machine’s disk.
FireEye observed that in some attacks, the hackers exploited a Windows local privilege escalation vulnerability (CVE-2016-0167) that was at the time undetected. The zero-day attacks were first spotted by the security team on March 8. Microsoft patched this error on April 12, and recently strengthened systems against similar exploits by just releasing a further update (MS16-062).
The attack was carried out by the remote control of the malicious DLL micros which were then used to exploit the Windows vulnerability to acquire System privileges. FireEye have been able to successfully monitor this hacking group for the last twelve months as they are the only criminals who presently use the Punchbuggy and Punchtrack malware. Commenting on their operation in a blog, the company wrote:
“This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of a [privilege escalation] exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication“.
There are other cyber-crime gangs that FireEye are monitoring presently; another is one they are calling FIN6 who stole card credentials from millions of customers in another PoS exploit. These card details are believed to have been sold on the Dark market.