A recent zero-day vulnerability found in Microsoft’s Windows platform has been attributed to a little know hacker group known as Buhtrap. Antivirus firm ESET discovered the attack and says the flaw has already been exploited.
In a post, the Slovakian company says Buhtrap has been exploiting the vulnerability for cyber-espionage. Microsoft has already patched the zero-day during its July Patch Tuesday cumulative updates.
Listed as CVE-2019-1132, we discussed this flaw earlier in the week. The vulnerability is found in Windows 7 and Windows Server 2008. Microsoft details this flaw, describing it as a Win32 elevation of privilege vulnerability.
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the company explains.
The most interesting development of this situation is the Buhtrap hacking group. This is a unique group and is relatively obscure. Buhtrap is known for targeting financial companies to steal money from them. The group has been known since 2014 when they started hitting Russian organizations and blackmailing them.
ESET told ZDNet that Buhtrap has been changing its tactics in recent years, moving to targeting governments.
“It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in targets occurred before the source code leak, we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions,” ESET said.