Security researchers from CloudSEK have spotted a new exploit from hacktivist group DragonForce Malaysia capable of performing Windows servers’ local privilege escalation (LPE) and local distribution router (LDR) actions on Indian servers.
The attack was reportedly illustrated in a PoC (proof of concept) video earlier this month and subsequently analyzed by CloudSEK in an advisory released on Thursday.
The cybersecurity experts said they used the company’s contextual artificial intelligence (AI) digital risk monitoring platform XVigil to identify a post on a Telegram channel where the hacktivist group posted the video describing the exploit.
The pro-Palestinian hacktivist group based in Malaysia published the post on June 23 2022 and attributed the new exploit to a threat actor named “impossible1337”.
In the same video, DragonForce Malaysia also announced plans to convert into a ransomware group. It then reposted the claims on other social media channels and websites.
“The group published a blog on their official website, thereby announcing their plans to conduct mass spreading and ransomware attacks,” wrote CloudSEK. “Following their blog post, a significant amount of chatter was observed on Twitter, which received a lot of criticism.”
According to the security researchers, the primary objective of the attack was to “get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.”
To mitigate the impact of the new vulnerability, CloudSEK advised India-based companies and institutions to patch the Windows servers by updating all software to the latest available version, or alternatively “resort to the latest workarounds provided by the vendor.”
Additionally, the company said system administrators should audit and monitor anomalies in networks that could be indicators of possible compromise.
As technical information about the impossible1337 exploit is still not publicly available, it is unclear at the time of writing if updating systems will be enough to defend against the attack.
Infosecurity Magazine has reached out to Microsoft and will be updating this article with any response from them.