We wrote last week of a frustrated security researcher revealing a new zero-day bug for fully-patched Windows 10 PCs which would allow any software running on your PC to gain system-level privileges.
The bug is a local exploit (ie the software needs to be running on your PC already) and involves the Windows task scheduler. At the time CERT/CC was unaware of a practical solution to this problem, and Microsoft has so far not released a fix.
Now The Register reports that the sample exploit code has already found its home in an exploit kit by hacker group PowerPool which is being used to move hijacked user accounts to full system administrator-level control of already infiltrated Windows boxes in Chile, Germany, India, the Philippines, Poland, Russia, the UK, America, and Ukraine.
They quote ESET’s Matthieu Faou as saying :
“As one could have predicted, it took only two days before we first identified the use of this exploit in a malicious campaign from a group we have dubbed PowerPool.”
The exploit is being used to install a “reconnaissance” backdoor that takes screenshots to send to its command and control server and which can also execute can execute arbitrary commands.
While Microsoft has not released a patch yet some mitigation efforts is possible, useful for corporate and education settings with multiple users. Clever IT’s Karsten Nilsen and Google Project Zero researcher James Forshaw suggest using access controls to prevent anyone writing to the C:\Windows\Tasks directory while Kevin Beaumont has also written up how to put in place rules that will detect attempted exploits.
Microsoft had earlier said they will be releasing a fix as part of Patch Tuesday, which should be some time next week.
Read more about exactly how the exploit works at Barkly here.