06-08-2021 , 10:08 PM
https://www.bleepingcomputer.com/news/se...zero-days/ Windows 10 targeted by PuzzleMaker hackers using Chrome zero-days
By Sergiu Gatlan
June 8, 2021 02:20 PM Kaspersky security researchers discovered a new threat actor dubbed PuzzleMaker, who has used a chain of Google Chrome and Windows 10 zero-day exploits in highly-targeted attacks against multiple companies worldwide.
According to Kaspersky, the attacks coordinated by PuzzleMaker were first spotted during mid-April when the first victims' networks were compromised.
The zero-day exploit chain deployed in the campaign used a remote code execution vulnerability in the Google Chrome V8 JavaScript engine to access the targeted systems.
Next, the PuzzleMaker threat actors used an elevation of privilege exploit custom-tailored to compromise the latest Windows 10 versions by abusing an information disclosure vulnerability in the Windows kernel (CVE-2021-31955) and a Windows NTFS privilege escalation bug (CVE-2021-31956), both patched in the June Patch Tuesday.
Malware deployed with system privileges
The attackers abused the Windows Notification Facility (WNF) together with the CVE-2021-31956 vulnerability to execute malware modules with system privileges on compromised Windows 10 systems.
"Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server," the researchers said.
"This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS.
"The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system."
Chrome and Windows zero-days galore
This is not the first Chrome zero-day exploit chain used in the wild in recent months.
Project Zero, Google's zero-day bug-hunting team, unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year.
The attacks took place in two separate campaigns, in February and October 2020, with at least a dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.
Project Zero researchers collected a trove of info from the exploit servers used in the two campaigns, including:
renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery
two sandbox escape exploits abusing three 0-day vulnerabilities in Windows
a "privilege escalation kit" composed of publicly known n-day exploits for older versions of Android
one full exploit chain targeting fully patched Windows 10 using Google Chrome
two partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser
several RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs present up to iOS 14.1)
"Overall, of late, we've been seeing several waves of high-profile threat activity being driven by zero-day exploits," added Boris Larin, senior security researcher with the Global Research and Analysis Team (GReAT).
"It's a reminder that zero days continue to be the most effective method for infecting targets."
By Sergiu Gatlan
June 8, 2021 02:20 PM Kaspersky security researchers discovered a new threat actor dubbed PuzzleMaker, who has used a chain of Google Chrome and Windows 10 zero-day exploits in highly-targeted attacks against multiple companies worldwide.
According to Kaspersky, the attacks coordinated by PuzzleMaker were first spotted during mid-April when the first victims' networks were compromised.
The zero-day exploit chain deployed in the campaign used a remote code execution vulnerability in the Google Chrome V8 JavaScript engine to access the targeted systems.
Next, the PuzzleMaker threat actors used an elevation of privilege exploit custom-tailored to compromise the latest Windows 10 versions by abusing an information disclosure vulnerability in the Windows kernel (CVE-2021-31955) and a Windows NTFS privilege escalation bug (CVE-2021-31956), both patched in the June Patch Tuesday.
Malware deployed with system privileges
The attackers abused the Windows Notification Facility (WNF) together with the CVE-2021-31956 vulnerability to execute malware modules with system privileges on compromised Windows 10 systems.
"Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server," the researchers said.
"This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS.
"The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system."
Chrome and Windows zero-days galore
This is not the first Chrome zero-day exploit chain used in the wild in recent months.
Project Zero, Google's zero-day bug-hunting team, unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year.
The attacks took place in two separate campaigns, in February and October 2020, with at least a dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.
Project Zero researchers collected a trove of info from the exploit servers used in the two campaigns, including:
renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery
two sandbox escape exploits abusing three 0-day vulnerabilities in Windows
a "privilege escalation kit" composed of publicly known n-day exploits for older versions of Android
one full exploit chain targeting fully patched Windows 10 using Google Chrome
two partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser
several RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs present up to iOS 14.1)
"Overall, of late, we've been seeing several waves of high-profile threat activity being driven by zero-day exploits," added Boris Larin, senior security researcher with the Global Research and Analysis Team (GReAT).
"It's a reminder that zero days continue to be the most effective method for infecting targets."