In a blog post this week, the team says the cybercriminal fingerprinting technique has uncovered two authors selling Windows local privilege escalation (LPE) exploits. Both are thought to have already sold exploits to Russian attacks groups. Check Point says fingerprinting was developed after a customer incident. Specifically, the team found a 64-bit executable during an attack on a client. Once the file was checked, researchers found it was hosting rare debug strings. This suggests there had already been attempts to exploit the vulnerability. A leftover PDB path from the attempt was found, “…\cve-2019-0859\x64\Release\CmdTest.pdb”. This file points to an exploit that has made its way to the wild.
Fingerprinting
When looking into the file further, Check Point decided to develop a “fingerprint” that would allow them to recognize the future work of developers who create exploits. Specifically, those who attempted an exploit on this Windows file. In its blog post, the researcher says its method tracked two known exploit authors and could be expended to work on others: “Our research methodology was to fingerprint an exploit writer’s characteristics and later on use these properties as a unique hunting signature. We deployed this technique twice when tracking down Volodya’s exploits and those of PlayBit. Having these two successful test cases, we believe that this research methodology can be used to identify additional exploit writers. We recommend other researchers try our suggested technique and adopt it as an additional tool in their arsenal.” Of the two authors, Volodya develops exploits for known Windows zero-day vulnerabilities. In fact, he was linked to 10 Windows LPE exploits. The second author found by Check Point, PlayBit, creates payloads for known security issues. PlayBit was found to have sold at least five exploits to known cybercriminal groups.