The PuzzleMaker attack exploits a zero-day Chrome vulnerability in Windows.
Researchers say a zero-day vulnerability corrected in Microsoft’s recent patch on Tuesday was used in targeted attacks against businesses.
According to Kaspersky, from April 14 to 15, 2021, a wave of “targeted attacks” against multiple organizations was followed using a series of zero-day exploits on Google Chrome browsers and Microsoft Windows systems.
The attacker’s name is PuzzleMaker. The first exploit in this chain has not been identified, but appears to be CVE-2021-21224. This is a V8 confusion vulnerability in Google Chrome browsers older than 90.0.4430.85.
Google released a fix for a critical vulnerability on April 20. Exploitation of this could allow a remote attacker to execute arbitrary code in the sandbox via a crafted HTML page.
Sandboxes are designed to protect the environment, testing and developer protection, thus separating the activities from the main system. Sandbox escape is required as a next step for the exploit chain to work.
According to researchers, this breakout was discovered in two vulnerabilities in Windows 10. Both are zero-day bugs fixed in Microsoft’s latest Patch Tuesday update.
The first CVE-2021-31955 is a Windows Kernel Information Disclosure vulnerability in the ntoskrnl.exe file which is used to expose the Eprocess structure kernel address of the executed process. The second CVE-2021-31956 is a buffer overflow vulnerability in the Windows NTFS driver that could be exploited for elevation of privilege.
According to Kaspersky, the chain of these vulnerabilities allowed an attacker to sneak into the sandbox and execute malicious code on the targeted machine.
Then malware is deployed including middlemen, droppers, services, and remote shell modules. The first module first checks that the exploit was successful and, if successful, retrieves the dropper module from the command and control server (C2) and executes it.
The two executables then reach the target machine by impersonating a legitimate Windows file. The first is registered as a service and is used to launch the second executable file which contains the Remote Shell functionality.
This payload can be used to download and extract files or create system processes. The malware can also temporarily go to sleep or self-destruct.
Organizations are encouraged to maintain a frequent patch schedule and apply the appropriate patches. Especially if the bug is actively exploited. As we saw in the Microsoft Exchange Server incident in March, attackers intervene quickly when a security issue becomes public knowledge.
Past and related coverage
Do you have any clues? Contact securely via WhatsApp | +447 713 025 499 signal or keybase: charlie0
The PuzzleMaker attack exploits a zero-day Chrome vulnerability in Windows.
Source Link The PuzzleMaker attack exploits a zero-day Chrome vulnerability in Windows.