A previously known threat actor is using the flaw in a broad cyber-espionage campaign, security vendor warns.
Microsoft Tuesday released patches for more than 70 vulnerabilities, including a critical privilege escalation flaw in the Win32k driver that a known Chinese-speaking threat group has been exploiting in targeted attacks against defense contractors, IT companies, and diplomatic entities since at least August.
Microsoft’s batch of security updates for October also included fixes for three other publicly disclosed flaws as well as an Exchange Server vulnerability that the US National Security Agency (NSA) reported to the company. None of these flaws are known to be actively exploited currently.
CVE-2021-40449, the flaw being exploited in the wild, is a so-called use-after-free vulnerability in the Win32k kernel driver that gives threat actors a way to escalate privileges on a compromised Windows machine. The flaw is not remotely exploitable. Kaspersky discovered the zero-day threat when investigating attacks on multiple Windows Servers between late August and early September 2021. The security vendor’s analysis of the malware used in the attacks showed that it was being used in a broad cyber-espionage campaign against organizations across several sectors.
Kaspersky is tracking the campaign as “MysterySnail” and has attributed it to a threat actor known as IronHusky and Chinese-speaking advanced persistent threat activity dating back to 2012.
Boris Larin, security researcher at Kaspersky, describes the flaw as easily exploitable and allowing attackers a way to gain full control of a vulnerable system after gaining an initial foothold. “After successful exploitation attackers can do basically whatever they want — steal authentication credentials, attack other machines and services within a network and achieve persistence,” Larin says.
Currently, the exploit code for the vulnerability is not publicly available and only the IronHusky group has been observed using it. However, the fact that the flaw is being actively exploited means organizations should apply Microsoft’s patch for it as quickly as possible Larin says. “[The] vulnerability is in the Win32k kernel driver, which is an essential component of the OS. So, unfortunately, there are no workarounds for that flaw,” he says.
Jake Williams, co-founder and CTO at BreachQuest, says organizations should not underestimate the threat that the Win32k flaw presents to their environment just because it isn’t remotely exploitable. Threat actors regularly gain access to target machines using phishing attacks, and vulnerabilities such as CVE-2021-40449 allow them to bypass endpoint controls and evade detection more effectively.
“Because the code for this has already been weaponized by one threat actor, we should expect to see it weaponized by others more quickly because there is already sample exploit code in the wild to work with,” Williams says.
Publicly Disclosed Flaws
Three other vulnerabilities from Microsoft’s October patch update that have garnered some attention because they were publicly disclosed before patches became available today are CVE-2021-40469, CVE-2021-41335, and CVE-2021-41338. CVE-2021-40469 is a remote code execution flaw in Windows DNS server. Microsoft has described successful exploits against the flaw as likely having a high impact on data confidentiality, availability, and integrity. The flaw presents a threat if the targeted server is configured to be a DNS server; however, chances of exploitability are low, Microsoft said.
Williams from BreachQuest agrees the flaw is likely difficult to weaponize. But the fact that DNS servers typically run on domain controllers makes this an extremely serious issue, he says. “A threat actor that gains remote code execution on a domain controller is likely to gain immediate domain administrator permissions. In the best-case scenario, they are a mere step away from taking domain administrator [privileges],” he notes.
CVE-2021-41335, meanwhile, is a privilege escalation flaw in the Windows Kernel, while CVE-2021-41338 is a security feature bypass flaw in the Windows AppContainer Firewall. Though both flaws were publicly disclosed prior to today’s patches and are therefore zero-day vulnerabilities, Microsoft has assessed the likelihood of the flaws being exploited as low.
The flaw in Exchange Server that the NSA reported to Microsoft (CVE-2021-26427), meanwhile, is the latest in a growing list of critical vulnerabilities that researchers have discovered in Exchange Server this year. Attackers would already need to be on a target’s network for them to be able to exploit the flaw. Microsoft says it’s exploitable if an attacker shares the same physical or local network as the target or is already within a secure or limited administrative domain.
Microsoft’s October patch update also included a patch for yet another vulnerability in the company’s Print Spooler technology. The latest flaw (CVE-2021-36970) is a spoofing vulnerability in Print Spooler that Microsoft described as being something that attackers were more likely to exploit. Previous bugs in Print Spooler — including a set of flaws referred to as PrintNightmare —sparked considerable concern because of the potential damage attackers could do by exploiting them.
Some of Microsoft’s fixes for Print Spooler flaws have exacerbated concerns over the technology.
“While Microsoft provided a fix in their September 2021 update, the patch resulted in a number of management problems,” says Chris Morgan, senior cyber-threat intelligence analyst at Digital Shadows. “Certain printers required users to repeatedly input their administrator credentials every time an application attempt to print or had a client connect to a print server,” he says.
Other problems, he adds, included event logs recording error messages and denying users the ability to perform basic prints.