Developers of successful antivirus software ESET NOD32 have uncovered the identities of the hackers that exploited new Windows 10 zero-day vulnerability. The hacker group is believed to be implicated in cyber-espionage activities.
Sources say that the group called “Buhtrap” has not used this tactic before, suggesting that they have shifted their focus. The group’s online activities were pretty much halted a few years ago when their core software code base was leaked online.
The group may have reacted to this as well as other dynamic factors that influenced their online activities — shifting their focus to extract information with new techniques. In the past, they were known for their direct theft of money from servers belonging to financial institutions.
Microsoft has created a patch that will block the zero-day system weakness. The bug has been identified and tagged CVE-2019-1132.
ESET NOD32 Antivirus Team Discovers Severe Windows 10 Zero-Day Vulnerability
ESET NOD32 team is aware of the group’s activities, which helped to identify their presence in information theft. Rumors have been circulating that the hacker group is being sponsored by one or more government to conduct off the books cyber operations. Several security agencies have stepped in to deny the claims.
Security analysts are sure that the group mainly operates within Russia’s borders. It is compared by many to groups such as Fancy Bears or Equation Group. With the significant difference between Buhtrap and other groups being that they rarely take responsibility for their actions, choosing to stay in the shadows. It has also been a group that favored money over information.
It is being reported that Buhtrap has exploited the Windows vulnerability within a short time frame of it existing. This is why Windows zero-day vulnerability is “zero-day” because it is quite likely that the group was actively searching for unpatched Windows devices to exploit security weaknesses.
Researchers are suggesting that the group could not possibly have the capabilities to perform such an operation by themselves. This is why it is believed that information leading to the exploitation of a zero-day vulnerability was bought from brokers on the dark web, possibly from groups like Volodya, that have a history selling zero-day exploits to the highest bidder.