PuzzleMaker attacks exploit Windows zero-day, Chrome vulnerabilities
Researchers say zero-day vulnerabilities fixed in Microsoft’s recent Patch Tuesday round have been used in targeted attacks against the enterprise.
According to Kaspersky, a wave of “highly targeted attacks” on several organizations was traced that utilized a chain of zero-day exploits in the Google Chrome browser and Microsoft Windows systems over April 14 and 15, 2021.
The attackers have been named PuzzleMaker. The first exploit in the chain, while not confirmed, appears to be CVE-2021-21224, a V8 type confusion vulnerability in the Google Chrome browser prior to 90.0.4430.85.
Google issued a patch for the severe flaw on April 20, which if exploited, allowed remote attackers to execute arbitrary code inside a sandbox via a crafted HTML page.
Sandboxes, by design, are intended for developer environments, tests, and protection, and so segregate activities away from a main system. For an exploit chain to work, a sandbox escape would then be a necessary next step.
According to the researchers, this escape was found in two Windows 10 vulnerabilities — both of which are zero-day bugs that were patched in Microsoft’s latest Patch Tuesday update.
The first, CVE-2021-31955, is a Windows Kernel information disclosure vulnerability in the file ntoskrnl.exe, used to expose the addresses of the Eprocess structure kernel for executed processes. The second, CVE-2021-31956, is a heap buffer overflow vulnerability in the Windows NTFS driver that can be exploited for privilege escalation.
Kaspersky says that when chained together, the vulnerabilities allowed the attacker to escape the sandbox and execute malicious code on a target machine.
Malware is then deployed which includes stager, dropper, service, and remote shell modules. The first module will first check that exploitation was a success, and if so, will grab the dropper module from a command-and-control (C2) server for execution.
Two executables then land on the target machine which masquerades as legitimate Windows files. The first is registered as a service and is used to launch the second executable, which contains remote shell capabilities.
This payload is able to download and exfiltrate files, as well as create system processes. The malware is also capable of putting itself to ‘sleep’ for a time or self-destruct.
It is recommended that organizations maintain frequent patch schedules and apply relevant fixes — more so if bugs are being actively exploited. As we saw with the Microsoft Exchange Server incident in March, attackers will quickly jump on security issues as soon as they are publicly known.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
