Researchers from FireEye have disclosed the details of cyberattack group leveraging a Microsoft Windows zero-day flaw in targeted attacks against over 100 US companies.
Dhanesh Kizhakkinan, Yu Wang, Dan Caselden and Erica Eng from FireEye's security team said in a blog post on Wednesday that in March this year, a group of threat actors developed spear-phishing campaigns tailored for specific targets in the retail, restaurant, and hospitality industries.
The privilege escalation flaw was found in the win32k Windows Graphics subsystem and impacted Microsoft Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2012, Windows RT 8.1, and Windows 10.
According to FireEye, the threat group used the vulnerability to target companies across the US with spear phishing campaigns based on tailored emails containing malicious Microsoft Word attachments.
If a victim was duped into downloading and opening the file, embedded macros hidden within the .DOC files executed a downloader called Punchbuggy.
Punchbuggy is a dynamic-link library (DLL) downloader, available in both 32-bit and 64-bit versions, which ferries across malicious code through HTTPS. The malicious software was then used by the groups to "interact with compromised systems and move laterally across victim environments," the security team says.
Together, the Microsoft escalation of privilege (EoP) vulnerability and a point of sale (POS) memory scraping tool used by the group called Punchtrack gave the cyberattackers an avenue to attack over 100 US firms to steal both track 1 and 2 credit card data stored in PoS systems used by these companies.
The names of the companies in question, as well as the number of potential consumer victims, has not been disclosed.
"This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly," FireEye says. "These abilities, combined with targeted usage of an EoP exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors' operational maturity and sophistication."
FireEye believes the cybergang is "financially motivated" and is the "only group to date" which combines Punchbuggy and Punchtrack.
In order to protect against this threat, both businesses and consumers should make sure their Windows systems are fully up-to-date. This EoP vulnerability is no longer effective due to recent patch updates.