Researchers have not been able to link the threat actors capitalizing on the bugs, but patches have been released.
In April, a number of highly targeted attacks against multiple companies used a previously undiscovered chain of Google Chrome and Microsoft Windows zero-day exploits.
One of the exploits was used for remote code execution in the Chrome web-browser, while the other was an elevation of privilege exploit fine-tuned to target the latest and most prominent builds of Windows 10. The latter exploits two vulnerabilities in the Microsoft Windows OS kernel: Information Disclosure vulnerability CVE-2021-31955 and Elevation of Privilege vulnerability CVE-2021-31956. Microsoft has patched both today as part of Patch Tuesday.
Subsequently, there has been a wave of advanced threat activity exploiting zero-days in the wild, according to Kaspersky researchers. In mid-April, they discovered yet a new wave of highly targeted exploit attacks against multiple companies that allowed the attackers to stealthily compromise the targeted networks. The firm has yet to find any connection between these attacks and any known threat actors. Therefore, they have dubbed this actor PuzzleMaker.
Chrome and Windows vulnerabilities
Attacks conducted through Chrome utilized an exploit that allowed for remote code execution. While researchers were unable to retrieve the code for the remote execution exploit, the timeline and availability data suggest the attackers were using the now-patched CVE-2021-21224 vulnerability.
Regarding attacks on Windows zero day vulnerabilities, researchers were able to find and analyze the exploit: an ‘elevation of privilege’ technique that leverages two distinct vulnerabilities in the Microsoft Windows OS kernel.
- The first is an Information Disclosure vulnerability (a vulnerability that leaks sensitive kernel information), assigned CVE-2021-31955. Specifically, the vulnerability is affiliated with SuperFetch—a feature first introduced in Windows Vista that aims to reduce software loading times by pre-loading commonly used applications into memory.
- The second vulnerability—an Elevation of Privilege vulnerability (a vulnerability that allows attackers to exploit the kernel and gain elevated access to the computer)—is assigned the name CVE-2021-31956 and is a heap-based buffer overflow. Attackers used the CVE-2021-31956 vulnerability alongside Windows Notification Facility (WNF) to create arbitrary memory read/write primitives and execute malware modules with system privileges.
Once attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server. This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain amounts of time, and delete itself from the infected system.
As part of Patch Tuesday, Microsoft had released a patch for both Windows vulnerabilities. According to Boris Larin, a Senior Security Researcher with Kaspersky’s Global Research and Analysis Team (GReAT): “While these attacks were highly targeted, we have yet to link them to any known threat actor. That’s why we’ve dubbed the actor behind them ‘PuzzleMaker’ and will be closely monitoring the security landscape for future activity or new insights about this group. Overall, of late, we’ve been seeing several waves of high-profile threat activity being driven by zero-day exploits. It’s a reminder that zero days continue to be the most effective method for infecting targets.”
Now that these vulnerabilities have been made publicly known, Larin said it is possible that we will see an increase in their usage by various attackers. That means it is very important for users to apply the latest patch from Microsoft as soon as possible.