Cybersecurity solutions firm Kaspersky found a series of highly targeted attacks using a chain of Google Chrome and Microsoft Windows zero-day exploits. This is among the wave of advanced threat activity exploiting zero-days in the wild, which the security researchers dubbed as PuzzleMaker.
“While these attacks were highly targeted, we have yet to link them to any known threat actor,” said Boris Larin, senior security researcher with the Global Research and Analysis Team (GReAT). “That’s why we’ve dubbed the actor behind them ‘PuzzleMaker’ and will be closely monitoring the security landscape for future activity or new insights about this group.”
Kaspersky found that “one of the exploits was used for remote code execution in the Chrome web browser, while the other was an elevation of privilege exploit fine-tuned to target the latest and most prominent builds of Windows 10. The latter exploits two vulnerabilities in the Microsoft Windows OS kernel: Information Disclosure vulnerability CVE-2021-31955 and Elevation of Privilege vulnerability CVE-2021-31956.”
Microsoft has patched both on June 8 as part of Patch Tuesday.
“Overall, of late, we’ve been seeing several waves of high-profile threat activity being driven by zero-day exploits,” said Larin. “It’s a reminder that zero-days continue to be the most effective method for infecting targets. Now that these vulnerabilities have been made publicly known, it’s possible that we’ll see an increase in their usage in attacks by this and other threat actors. That means it’s very important for users to download the latest patch from Microsoft as soon as possible.”
Type Mismatch bug
Kaspersky experts were, however, able to find and analyze the second exploit: An elevation of privilege exploits that exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. The first is an Information Disclosure vulnerability (a vulnerability that leaks sensitive kernel information), assigned CVE-2021-31955. Specifically, the vulnerability is affiliated with SuperFetch — a feature first introduced in Windows Vista that aims to reduce software loading times by preloading commonly used applications into memory.
The second vulnerability — an Elevation of Privilege vulnerability (a vulnerability that allows attackers to exploit the kernel and gain elevated access to the computer) — is assigned the name CVE-2021-31956 and is a heap-based buffer overflow. Attackers used the CVE-2021-31956 vulnerability alongside Windows Notification Facility (WNF) to create arbitrary memory read/write primitives and execute malware modules with system privileges.
Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server. This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain amounts of time, and delete itself from the infected system.
To protect your organization from attacks exploiting the aforementioned vulnerabilities, Kaspersky experts recommend:
- Update your Chrome browser and Microsoft Windows as soon as possible and do so regularly
- Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection, and a remediation engine that is able to roll back malicious actions.
- Install anti-APT and EDR solutions, enabling capabilities for threat discovery and detection, investigation, and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within the Kaspersky Expert Security framework.
- Along with proper endpoint protection, dedicated services can help against high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop attacks in their early stages before the attackers achieve their goals.