bitter group

Bitter group launches cyber attack using Windows kernel zero-day(CVE-2021-1732)


The Bitter group, also known as T--17, is suspected to be a state-sponsored hacking group that targets Saudi Arabia, China and Pakistan. Originally discovered by Forcepoint researchers, the group has been active since 2013 and its targets include energy, research institutions, engineering and government sectors.

The group primarily uses such as ArtraDownloader and BitterRAT, as well as techniques such as spear- emails, to attack targeted users by exploiting known vulnerabilities to load remote access Trojans (RATs).

Recently, Chinese researchers discovered that the Bitter group is frantically exploiting a vulnerability in the Windows 10 64-bit operating system. This vulnerability also affects the latest versions of the Windows 10 operating system, such as Windows 10 20H2 64-bit. Microsoft Security Response Center (MSRC) has fixed the vulnerability CVE-2021-1732 in the February 2021 security update.

When the exploit example is run on the latest Windows 10 1909 64-bit environment, it first executes at the medium integrity level, and after the exploit, it runs at the system integrity level. As shown below, the current process token has been replaced with a system process token, a common method of escalating kernel privileges.

bitter cve-2021-1732

This vulnerability, CVE-2021-1732, is a kernel-level privilege escalation vulnerability in win32kfull.sys with a high risk and a sophisticated exploit payload. It demonstrates the advanced capabilities of the APT team and highlights the strong vulnerability skills of the hackers.