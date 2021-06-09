



Researchers say a zero-day vulnerability fixed in Microsoft’s recent patch Tuesday round was used in targeted attacks against businesses.

According to Kaspersky Lab, April 14-15, 2021, a wave of “targeted attacks” against multiple organizations was tracked using a series of zero-day exploits on Google Chrome browsers and Microsoft Windows systems.

The attacker’s name is PuzzleMaker. The first exploit in this chain has not been identified, but seems to be CVE-2021-21224. This is a V8 type confusion vulnerability in Google Chrome browsers prior to 90.0.4430.85.

Google released a patch for a critical flaw on April 20th. Exploitation of this could allow a remote attacker to execute arbitrary code in the sandbox via a crafted HTML page.

Sandboxes are designed to protect the developer’s environment, testing, and protection, thus separating activities from the main system. Sandbox escaping is required as the next step for the exploit chain to work.

According to researchers, this escape was discovered in two Windows 10 vulnerabilities. Both are zero-day bugs patched in Microsoft’s latest Patch Tuesday update.

The first CVE-2021-31955 is a Windows kernel information disclosure vulnerability in the file ntoskrnl.exe used to expose the address of the Eprocess structure kernel of an executed process. The second CVE-2021-31956 is a heap buffer overflow vulnerability in the Windows NTFS driver that could be exploited for privilege escalation.

According to Kaspersky, chaining these vulnerabilities allows an attacker to bypass the sandbox and execute malicious code on the targeted machine.

Next, malware is deployed that includes stagers, droppers, services, and remote shell modules. The first module first verifies that the exploit was successful, and if successful, gets the dropper module from the Command and Control (C2) server and executes it.

The two executables then reach the target machine impersonating a legitimate Windows file. The first one is registered as a service and is used to launch the second executable file that contains the Remote Shell feature.

This payload can be used to download and extract files or create system processes. The malware can also temporarily put itself to “sleep” or self-destruct.

Organizations are encouraged to maintain a patch schedule frequently and apply relevant fixes. Even more so if the bug is being actively exploited. As we saw in the Microsoft Exchange Server incident in March, attackers quickly jump in as soon as a security issue becomes publicly known.

