Espionage Attackers Were Using Windows Zero Day Vulnerability CVE-2021-40449

A Chinese-speaking advanced persistent threat (APT) group had been exploiting a zero-day Windows vulnerability, which got a patch from Microsoft on Tuesday, according to Kaspersky researchers.

Security solutions firm Kaspersky was credited with finding the exploited Win32k elevation of privilege vulnerability (CVE-2021-40449), which is present in most Windows client and server systems, but not in Windows 11. Kaspersky explained how it detected the zero-day problem in a Tuesday post.

Researchers at Kaspersky first noticed specific elevation-of-privilege attack activity on Windows Servers back in "late August and early September" of this year. The attackers leveraged CVE-2021-40449 for the purpose, which Kaspersky described as a "use-after-free" information disclosure issue that bypassed Windows security.

The attackers were identified by Kaspersky as a Chinese-speaking "IronHusky" APT group that's been active since 2012. This group was using the Win32k vulnerability as part of an espionage campaign, the researchers indicated:

Besides finding the zero-day in the wild, we analyzed the malware payload used along with the zero-day exploit, and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities.

The attackers typically dropped a remote access Trojan (RAT) to set up a command-and-control point on Windows Server. The code used in these attacks was dubbed "MysterySnail" by Kaspersky.

This attack approach branched out. Kaspersky was able to use its analysis of the MysterySnail RAT code to "discover campaigns using other variants of the analyzed malware."

Kaspersky touted its own solutions as key to nabbing zero-day flaws like this Win32k vulnerability:

Kaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. CVE-2021-40449 is the latest addition to the long list of zero-days discovered in the wild with the help of our technologies. 

Microsoft issued a patch for the vulnerability on Tuesday. CVE-2021-40449 was the only vulnerability known beforehand to have been exploited in Microsoft's October patch bundle.

The attacks possibly just affected organizations running Windows Server, according to RedPacket Security.

"So far, the MysterySnail RAT has only been spotted on Windows Servers, but the vulnerability can also be used against non-server Windows Operating Systems," RedPacket Security indicated in an announcement.

The MysterySnail code possibly is designed for attacking non-Windows systems as well, the Kaspersky researchers suggested.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube