In the course of analyzing the known exploit CVE-2021-1732 by the APT group BITTER, the Kaspersky experts discovered another zero-day exploit in the Desktop Window Manager.
So far, this cannot be associated with a known threat actor. Any code execution by cyber criminals on the victim's computer would be possible. Zero-day vulnerabilities are previously unknown software bugs. Until they are discovered, attackers can use them unnoticed for harmful activities and cause serious damage.
Exploit analysis reveals reinforcements
When analyzing the CVE-2021-1732 exploit, the Kaspersky experts found another zero-day exploit and reported it to Microsoft in February 2021. After confirming that it was indeed a zero-day, the vulnerability was named CVE-2021-28310.
According to the researchers, this exploit is used in the wild - possibly by multiple threat actors. It is a so-called EoP (Escalation of Privilege) exploit that is located in the Desktop Window Manager and that attackers can use to execute arbitrary code on a victim's computer.
Exploit tries to evade sandbox
It is likely that this exploit will be used in conjunction with other browser exploits to evade detection within a sandbox and to gain system permissions for further access. During the first analysis by Kaspersky, the entire chain of infection could not be identified. Therefore, it is not yet known whether the exploit will be used with another zero-day system or with known, patched vulnerabilities.
"The exploit was identified by our advanced exploit prevention technology and associated detection records," explains Boris Larin, security researcher at Kaspersky. “Over the past few years, we have integrated a large number of exploit protection technologies into our products, which have already recognized several zero-days and have thus repeatedly proven their effectiveness. We will continue to improve the protection of our users by continuously improving our technologies and working with third parties to fix vulnerabilities and make the internet safer for everyone." On April 13, 2021, a patch for the CVE-2021-28310 vulnerability was released.
More at SecureList at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/