Threat Watch

Buhtrap Found Behind Windows Vulnerability Use in the Wild

Buhtrap: Buhtrap has been found to be behind the exploit of Windows 0-day, CVE-2019-1132, through June 2019.  CVE-2019-1132 affected older versions of Windows and allowed for privilege escalation, but was patched in Window’s most recent Patch Tuesday.  Buhtrap got their start targeting businesses and financial institutions in Russia for financial theft.  In recent years, the group has been making their way into cyber-espionage targeting both government organizations and private companies.  This most recent campaign has focused heavily on organizations in Eastern Europe and Central Asia.  This shift from financial theft to cyber-espionage is yet another illustration that in cyber-activities, the lines can easily be blurred–especially not knowing if the group is then using the information for extortion or financial gain by selling the data to interested parties in private.

ANALYST NOTES

Even though the vulnerability has been patched, it will likely continue to be useful to groups like Buhtrap as many organizations can be slow to update systems with new security patches.