Kaspersky applied sciences observed a wave of ‘extremely focused assaults’ in opposition to a number of firms throughout April 2021. Because of the evaluation, all these assaults exploited a sequence of Google Chrome and Microsoft Home windows zero-day exploits.
The menace actor behind these assaults known as PuzzleMaker. Because it was not attainable to get again the exploit used for distant code execution (RCE) within the Chrome net browser, now specialists have been capable of finding and analyze an elevation of privilege (EoP) exploit that was used to flee the sandbox and procure system privileges.
The elevation of privilege exploit was refined to work in opposition to the newest and most well-known builds of Home windows 10 (17763 – RS5, 18362 – 19H1, 18363 – 19H2, 19041 – 20H1, 19042 – 20H2) and it exploits two distinct vulnerabilities within the Microsoft Home windows OS kernel.
Two Vulnerabilities equivalent to CVE-2021-31955 to the data disclosure vulnerability and CVE-2021-31956 to the elevation of privilege vulnerability.
Each the vulnerabilities (CVE-2021-31955, CVE-2021-31956 ) have been patched on June 8, 2021, as part of the June Patch Tuesday.
Distant Code Execution Exploit
This vulnerability permits an attacker to remotely run malicious code inside the goal system on the native community or over the Web. Bodily entry to the machine will not be required. An RCE vulnerability can result in lack of management over the system or its elements, in addition to theft of delicate knowledge.
Researchers say that this exploit didn’t comprise a sandbox escape exploit and was subsequently supposed to work solely when the browser was launched with the command line choice –no-sandbox.
Google released a patch for this vulnerability lower than per week after the wave of assaults was found.
Elevation of Privilege Exploit
The vulnerability (CVE-2021-31955) is an data disclosure vulnerability in ntoskrnl.exe. It’s affiliated with a Home windows OS function referred to as SuperFetch, launched in Home windows Vista to scale back software program loading occasions by pre-loading generally used functions into reminiscence.
Researchers discovered that the vulnerability lies in the truth that knowledge returned by the NtQuerySystemInformation operate for the SuperFetch data class.
The second vulnerability, CVE-2021-31956, is within the ntfs.sys driver and belongs to the heap overflow class of vulnerabilities. Malefactors used it together with the Home windows Notification Facility for studying and writing knowledge to reminiscence.
This exploit works on most typical Home windows 10 builds 17763 (Redstone 5), 18362 (19H1), 18363 (19H2), 19041 (20H1), and 19042 (20H2). Construct 19043 (21H1) can be susceptible, though our applied sciences haven’t detected assaults on this model.
Assault Chain based mostly on 4 Malware Modules
- Distant shell
The Stager module will examine that exploitation was successful, and in that case, will take the dropper module from a command-and-control (C2) server for execution.
Subsequently, the Dropper module is accountable to put in the 2 executables that fake to be legit Home windows information. The primary is registered as a service and is used to launch the second executable, which incorporates distant shell capabilities. This payload can obtain and exfiltrate information, in addition to create system processes.
The distant shell module has a hardcoded URL of the C&C server inside. This module will obtain and add information, create processes, sleep for specified quantities of time and delete itself from the compromised machine.
Therefore, Kaspersky merchandise detected these assaults with the assistance of the Behavioral Detection Engine and the Exploit Prevention part. Kaspersky ensures to enhance defenses for its customers by enhancing applied sciences and dealing with third-party distributors to patch vulnerabilities, making the web safer for everybody.
To safeguard your company safety in opposition to the exploits used within the PuzzleMaker assault, it is suggested to replace Chrome and set up the working system patches that deal with vulnerabilities CVE-2021-31955 and CVE-2021-31956.