Specialists at cybersecurity firm Trend Micro have confirmed that a hacker or hacker group has begun exploiting a flaw in their antivirus solutions in order to obtain administrator privileges on some Windows systems. Tracked as CVE-2020-24557, this vulnerability resides in Apex One and OfficeScan XG, two security products specially designed for enterprise customers.
This flaw was reported a few months ago by Christopher Vella, a Microsoft researcher who notified the creators of these products through the Zero-Day Initiative vulnerability reporting program.
While the failure was fixed in 2020, a security update mentions that the error would have been used to attack some business customers who have not updated vulnerable deployments: “The specific failure exists within the logic that controls access to the Misc folder,” the initial report said. “Attackers can take advantage of this vulnerability to scale privileges and execute code in the context of SYSTEM.”
According to this report, the flaw cannot be used to enter systems, although it has been used as a second step in a multi-phase exploit chain after hackers install malicious code on the user’s computer. Although Trend Micro did not share any details about the exploited hackers this flaw, a source close to the reports mentions that the error was used by an advanced persistent threat (APT).
This is the fourth vulnerability in Apex One and OfficeScan XG security products that has been exploited in real-world scenarios after CVE-2019-18187, CVE-2020-8467, and CVE-2020-8468; the first three failures were exploited in 2019 and 2020, while the first was used by a Chinese cyberespionage group during an attack on Mitsubishi Electric.
News about hackers exploiting Trend Micro’s vulnerability comes a day after FireEye revealed that several cybercriminal groups had exploited a zero-day failure in Pulse Secure and SonicWall products.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.