Espionage Attackers Were Using Windows Zero Day Vulnerability -- Redmondmag.com

Espionage Attackers Were Using Windows Zero Day Vulnerability CVE-2021-40449

By Kurt Mackie
10/13/2021

A Chinese-speaking advanced persistent threat (APT) group had been exploiting a zero-day Windows vulnerability, which got a patch from Microsoft on Tuesday, according to Kaspersky researchers.

Security solutions firm Kaspersky was credited with finding the exploited Win32k elevation of privilege vulnerability (CVE-2021-40449), which is present in most Windows client and server systems, but not in Windows 11. Kaspersky explained how it detected the zero-day problem in a Tuesday post.

Researchers at Kaspersky first noticed specific elevation-of-privilege attack activity on Windows Servers back in "late August and early September" of this year. The attackers leveraged CVE-2021-40449 for the purpose, which Kaspersky described as a "use-after-free" information disclosure issue that bypassed Windows security.

The attackers were identified by Kaspersky as a Chinese-speaking "IronHusky" APT group that's been active since 2012. This group was using the Win32k vulnerability as part of an espionage campaign, the researchers indicated:

Besides finding the zero-day in the wild, we analyzed the malware payload used along with the zero-day exploit, and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities.

The attackers typically dropped a remote access Trojan (RAT) to set up a command-and-control point on Windows Server. The code used in these attacks was dubbed "MysterySnail" by Kaspersky.

This attack approach branched out. Kaspersky was able to use its analysis of the MysterySnail RAT code to "discover campaigns using other variants of the analyzed malware."

Kaspersky touted its own solutions as key to nabbing zero-day flaws like this Win32k vulnerability:

Kaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. CVE-2021-40449 is the latest addition to the long list of zero-days discovered in the wild with the help of our technologies.

Microsoft issued a patch for the vulnerability on Tuesday. CVE-2021-40449 was the only vulnerability known beforehand to have been exploited in Microsoft's October patch bundle.

The attacks possibly just affected organizations running Windows Server, according to RedPacket Security.

"So far, the MysterySnail RAT has only been spotted on Windows Servers, but the vulnerability can also be used against non-server Windows Operating Systems," RedPacket Security indicated in an announcement.

The MysterySnail code possibly is designed for attacking non-Windows systems as well, the Kaspersky researchers suggested.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.