Contents:
The zero-day attacks coordinated by PuzzleMaker were first seen in mid-April when the first victims’ networks were compromised.
A remote code execution was used by the zero-day exploit chain, therefore, being able to execute vulnerabilities in the Google Chrome V8 JavaScript engine and access the targeted systems.
A Zero-Day or Zero Hour attack are attacks that use vulnerabilities in computer software that cybercriminals have discovered and software makers have not patched (because they weren’t aware that those vulnerabilities exist). These are often exploited by cyber attackers before the software or security companies become aware of them. Sometimes, Zero Days are discovered by security vendors or researchers and kept private until the company patches the vulnerabilities.
The threat actors proceeded to make use of the elevation privilege exploit custom-tailored to compromise the latest Windows 10 versions, as they abused an information disclosure vulnerability in the Windows kernel (CVE-2021-31955) and a Windows NTFS privilege escalation bug (CVE-2021-31956).
The attackers abused the Windows Notification Facility (WNF) with the CVE-2021-31956 vulnerability in order to manage the execution of the malware modules with system privileges on compromised Windows 10 systems, and it seems the dropper is used afterward to install two executables, which pretend to be legitimate files from the Microsoft Windows OS.
The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.
Unfortunately, this is not the first Chrome zero-day exploit chain being used in the wild in recent months, as project Zero, Google’s zero-day bug-hunting team, disclosed a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users during a single year.
Project Zero researchers collected important information from the exploit servers used in the two campaigns, like:
- renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery
- two sandbox escape exploits abusing three 0-day vulnerabilities in Windows
- a “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android
- one full exploit chain targeting fully patched Windows 10 using Google Chrome
- two partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser
- several RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs present up to iOS 14.1)
The attacks from 2020 took place in two campaigns, one in February and one in October 2020, having at least a dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.
The first exploit server responded to iOS and Microsoft Windows users and remained active for another week after Project Zero started retrieving the hacking tools and the second exploit server responded to Android users and stayed active for at least 36 hours.
Heimdal® Network DNS Security
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Researchers say that the zero-day vulnerabilities fixed in Microsoft’s recent Patch Tuesday round have been the ones used in targeted attacks against the enterprise.
According to the researchers, this escape was found in two Windows 10 vulnerabilities, both of which are zero-day bugs that were patched in Microsoft’s latest Patch Tuesday update, In which Microsoft released 50 security fixes for software meant to resolve critical and important issues including six zero-days that are being actively exploited in the wild.