Kaspersky technologies noticed a wave of ‘highly targeted attacks’ against multiple companies during April 2021. As a result of the analysis, all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.
The threat actor behind these attacks is called PuzzleMaker. As it was not possible to get back the exploit used for remote code execution (RCE) in the Chrome web browser, now experts were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.
The elevation of privilege exploit was refined to work against the latest and most well-known builds of Windows 10 (17763 – RS5, 18362 – 19H1, 18363 – 19H2, 19041 – 20H1, 19042 – 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel.
Two Vulnerabilities such as CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the elevation of privilege vulnerability.
Both the vulnerabilities (CVE-2021-31955, CVE-2021-31956 ) were patched on June 8, 2021, as a part of the June Patch Tuesday.
Remote Code Execution Exploit
This vulnerability allows an attacker to remotely run malicious code within the target system on the local network or over the Internet. Physical access to the device is not required. An RCE vulnerability can lead to loss of control over the system or its components, as well as theft of sensitive data.
Researchers say that this exploit didn’t contain a sandbox escape exploit and was therefore intended to work only when the browser was launched with the command line option –no-sandbox.
Google released a patch for this vulnerability less than a week after the wave of attacks was discovered.
Elevation of Privilege Exploit
The vulnerability (CVE-2021-31955) is an information disclosure vulnerability in ntoskrnl.exe. It is affiliated with a Windows OS feature called SuperFetch, introduced in Windows Vista to reduce software loading times by pre-loading commonly used applications into memory.
Researchers found that the vulnerability lies in the fact that data returned by the NtQuerySystemInformation function for the SuperFetch information class.
The second vulnerability, CVE-2021-31956, is in the ntfs.sys driver and belongs to the heap overflow class of vulnerabilities. Malefactors used it along with the Windows Notification Facility for reading and writing data to memory.
This exploit works on most common Windows 10 builds 17763 (Redstone 5), 18362 (19H1), 18363 (19H2), 19041 (20H1), and 19042 (20H2). Build 19043 (21H1) is also vulnerable, although our technologies have not detected attacks on this version.
Attack Chain based on Four Malware Modules
- Remote shell
The Stager module will check that exploitation was a success, and if so, will take the dropper module from a command-and-control (C2) server for execution.
Subsequently, the Dropper module is responsible to install the two executables that pretend to be legitimate Windows files. The first is registered as a service and is used to launch the second executable, which contains remote shell capabilities. This payload can download and exfiltrate files, as well as create system processes.
The remote shell module has a hardcoded URL of the C&C server inside. This module will download and upload files, create processes, sleep for specified amounts of time and delete itself from the compromised machine.
Hence, Kaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. Kaspersky ensures to improve defenses for its users by improving technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone.
To safeguard your corporate security against the exploits used in the PuzzleMaker attack, it is recommended to update Chrome and install the operating system patches that address vulnerabilities CVE-2021-31955 and CVE-2021-31956.