Kaspersky security researchers discovered a new threat actor dubbed PuzzleMaker, who has used a chain of Google Chrome and Windows 10 zero-day exploits in highly-targeted attacks against multiple companies worldwide.
According to Kaspersky, the attacks coordinated by PuzzleMaker were first spotted during mid-April when the first victims’ networks were compromised.
The zero-day exploit chain deployed in the campaign used a remote code execution vulnerability in the Google Chrome V8 JavaScript engine to access the targeted systems.
Next, the PuzzleMaker threat actors used an elevation of privilege exploit custom-tailored to compromise the latest Windows 10 versions by abusing an information disclosure vulnerability in the Windows kernel (CVE-2021-31955) and Windows NTFS privilege escalation bug (CVE-2021-31956), both patched in the June Patch Tuesday.
The attackers abused the Windows Notification Facility (WNF) together with the CVE-2021-31956 vulnerability to execute malware modules with system privileges on compromised Windows 10 systems.
“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.
“This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS.
“The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.”
Also Read: 4 Considerations in the PDPA Singapore Checklist: The Specifics
This is not the first Chrome zero-day exploit chain used in the wild in recent months.
Project Zero, Google’s zero-day bug-hunting team, unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year.
The attacks took place in two separate campaigns, in February and October 2020, with at least a dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.
Project Zero researchers collected a trove of info from the exploit servers used in the two campaigns, including:
“Overall, of late, we’ve been seeing several waves of high-profile threat activity being driven by zero-day exploits,” added Boris Larin, senior security researcher with the Global Research and Analysis Team (GReAT).
“It’s a reminder that zero days continue to be the most effective method for infecting targets.”
Also Read: The 3 Main Benefits Of PDPA For Your Business
Indicators of compromise (IOCs) including malware sample hashes can be found at the end of Kaspersky’s report.
Importance of Efficient Access Controls that every Organisation in Singapore should take note of. Enhancing…
Prioritizing Security Measures When Launching a Webpage That Every Organisation in Singapore should take note…
Importance of Regularly Changing Passwords for Enhance Online Security that every Organisation in Singapore should…
Comprehensive Approach to Data Protection and Operational Integrity that every Organsiation in Singapore should know…
Here's the importance of Pre-Launch Testing in IT Systems Implementation for Organisations in Singapore. The…
Understanding Liability in IT Vendor Relationships that every Organisation in Singapore should look at. Understanding…
This website uses cookies.