As early as April, Kaspersky experts discovered a number of extremely targeted cyber attacks with exploits against several companies that were using previously undiscovered zero days for Google Chrome and Microsoft Windows. New threat actor PuzzleMaker is at work.
Kaspersky has not yet been able to connect to known threat actors and therefore calls this new threat actor PuzzleMaker. One of the exploits was used for remote code execution in the Chrome web browser, the other was for elevation of privilege and targeted the latest and greatest builds of Windows 10. The latter exploits two vulnerabilities in the Microsoft Windows operating system kernel: vulnerability CVE-2021-31955 and the elevation-of-privilege vulnerability CVE-2021-31956. Microsoft patched both yesterday evening as part of Patch Tuesday.
Zero Day Puzzle Maker
There have been a number of advanced threat activity over the past few months that exploited zero-days. In mid-April, Kaspersky experts discovered a new wave of highly targeted exploit attacks against several companies, in which attackers could secretly compromise the targeted networks. All attacks were carried out through Chrome using an exploit that enabled remote code execution.
Kaspersky researchers were unable to retrieve the code for the remote execution exploit, but the timing and availability suggest that the attackers exploited the now patched CVE-2021-21224 vulnerability. This is related to a type mismatch bug in V8 - a JavaScript engine used by Chrome and Chromium web browsers. This allowed the threat actors to exploit the Chrome rendering process, which is responsible for what happens within a user's tab.
Two vulnerabilities in the Microsoft Windows kernel
However, the Kaspersky experts were able to identify and analyze the second exploit. This is an elevation of privilege exploit that takes advantage of two vulnerabilities in the Microsoft Windows operating system kernel. The first is an information disclosure vulnerability, known as CVE-2021-31955, that leaks sensitive kernel information. The vulnerability is related to SuperFetch, a feature first introduced in Windows Vista that was designed to reduce software loading times by preloading frequently used applications in memory.
The second is an elevation-of-privilege vulnerability that allows attackers to compromise the kernel and gain increased access to the computer. It is called CVE-2021-31956 and is a heap-based buffer overflow. Attackers used the CVE-2021-31956 vulnerability together with the Windows Notification Facility (WNF) to create arbitrary read and write primitives in memory and execute malware modules with system privileges.
Malware dropper reloads remote shell module
Once the attackers have exploited both the Chrome and Windows exploits to gain a foothold in the target system, the stager module downloads a more complex malware dropper from a remote server and runs it. This then installs two executable files that disguise themselves as legitimate files of the Microsoft Windows operating system. The second of these two executables is a remote shell module that is capable of downloading and uploading files, creating processes, being inactive for a period of time, and deleting itself from the infected system. Microsoft released a patch for both Windows security holes as part of Patch Tuesday.
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/