Researchers discovered a highly targeted malware campaign launched in April, in which a new, unknown threat actor used two of the vulnerabilities that Microsoft said are under active attack.
Microsoft jumped on 50 vulnerabilities in this month’s Patch Tuesday update, issuing fixes for CVEs in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code – Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.
Five of the CVEs are rated Critical and 45 are rated Important in severity. Microsoft reported that six of the bugs are currently under active attack, while three are publicly known at the time of release.
The number might seem light – it represents six fewer patches than Microsoft released in May – but the number of critical vulnerabilities ticked up to five month-over-month.
Those actively exploited vulnerabilities can enable an attacker to hijack a system. They have no workarounds, so some security experts are recommending that they be patched as the highest priority.
The six CVEs under active attack in the wild include four elevation of privilege vulnerabilities, one information disclosure vulnerability and one remote code execution (RCE) vulnerability.
Critical Bugs of Note
CVE-2021-31985 is a critical RCE vulnerability in Microsoft’s Defender antimalware software that should grab attention. A similar, critical bug in Defender was patched in January. The most serious of the year’s first Patch Tuesday, that earlier Defender bug was an RCE vulnerability that came under active exploit.
Another critical flaw is CVE-2021-31963, a Microsoft SharePoint Server RCE vulnerability. Jay Goodman, director of product marketing at Automox, said in a blog post that an attacker exploiting this vulnerability “could take control of a system where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights.”
While Microsoft reports that this vulnerability is less likely to be exploited,Goodman suggested that organizations don’t let it slide: “Patching critical vulnerabilities in the 72-hour window before attackers can weaponize is an important first step to maintaining a safe and secure infrastructure,” he observed.
Bugs Exploited in the Wild
Microsoft fixed a total of seven zero-day vulnerabilities. One was CVE-2021-31968, Windows Remote Desktop Services Denial of Service Vulnerability that was publicly disclosed but hasn’t been seen in attacks. It was issued a CVSS score of 7.5.
These are the six flaws that MIcrosoft said are under active attack, all of them also zero days.
- CVE-2021-31955 – Windows Kernel Information Disclosure Vulnerability. Rating: Important. CVSS 5.5
- CVE-2021-31956 – Windows NTFS Elevation of Privilege Vulnerability. Rating: Important. CVSS 7.8
- CVE-2021-33739 – Microsoft DWM Core Library Elevation of Privilege Vulnerability. Rating: Important. CVSS 8.4
- CVE-2021-33742 – Windows MSHTML Platform Remote Code Execution Vulnerability. Rating: Critical. CVSS 7.5
- CVE-2021-31199 – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2
- CVE-2021-31201 – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2
This RCE vulnerability exploits MSHTML, a component used by the Internet Explorer engine to read and display content from websites.The bug could allow an attacker to execute code on a target system if a user views specially crafted web content. The Zero Day Initiative‘s (ZDI’s) Dustin Childs noted in his Patch Tuesday analysis that since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are affected, not just Internet Explorer. “It’s not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list,” he recommended.
The vulnerability doesn’t require special privilege to exploit, though the attack complexity is high, if that’s any consolation. An attacker would need to do some extra legwork to pull it off, noted Satnam Narang, staff research engineer at Tenable, in an email to Threatpost on Tuesday.
Immersive Labs’ Kevin Breen, director of cyber threat research, noted that visiting a website in a vulnerable browser is “a simple way for attackers to deliver this exploit.” He told Threatpost via email on Tuesday that since the library is used by other services and applications, “emailing HTML files as part of a phishing campaign is also a viable method of delivery.”
Sophos decreed this one to be the top concern of this month’s crop, given that it’s already being actively exploited by malicious actors.
CVE-2021-31955, CVE-2021-31956: Used in PuzzleMaker Targeted Malware
CVE-2021-31955 is an information disclosure vulnerability in the Windows Kernel, while CVE-2021-31956 is an elevation of privilege vulnerability in Windows NTFS. The ZDI’s Childs noted that CVE-2021-31956 was reported by the same researcher who found CVE-2021-31955, an information disclosure bug also listed as under active attack. They could be linked, he suggested: “It’s possible these bugs were used in conjunction, as that is a common technique – use a memory leak to get the address needed to escalate privileges. These bugs are important on their own and could be even worse when combined. Definitely prioritize the testing and deployment of these patches.”
He was spot-on. On Tuesday, Kaspersky announced that its researchers had discovered a highly targeted malware campaign launched in April against multiple companies, in which a previously unknown threat actor used a chain of Chrome and Windows zero-day exploits: Namely, these two.
In a press release, Kaspersky said that one of the exploits was used for RCE in the Google Chrome web browser, while the other was an elevation of privilege exploit fine-tuned to target “the latest and most prominent builds” of Windows 10.
“Recent months have seen a wave of advanced threat activity exploiting zero-days in the wild,” according to the release. “In mid-April, Kaspersky experts discovered yet a new series of highly targeted exploit attacks against multiple companies that allowed the attackers to stealthily compromise the targeted networks.”
Kaspersky hasn’t yet found a connection between these attacks and any known threat actors, so it’s gone ahead and dubbed the actor PuzzleMaker. It said that all the attacks were conducted through Chrome and used an exploit that allowed for RCE. Kaspersky researchers weren’t able to retrieve the code for the exploit, but the timeline and availability suggests the attackers were using the now-patched CVE-2021-21224 vulnerability in Chrome and Chromium browsers that allows attackers to exploit the Chrome renderer process (the processes that are responsible for what happens inside users’ tabs).
Kaspersky experts did find and analyze the second exploit, however: An elevation of privilege exploit that exploits two distinct vulnerabilities in the Microsoft Windows OS kernel: CVE-2021-31955 and CVE-2021-31956. The CVE-2021-31955 bug “is affiliated with SuperFetch, a feature first introduced in Windows Vista that aims to reduce software loading times by pre-loading commonly used applications into memory,” they explained.
The second flaw, CVE-2021-31956, is an Elevation of Privilege vulnerability and heap-based buffer overflow. Kaspersky said that attackers used this vulnerability alongside Windows Notification Facility (WNF) “to create arbitrary memory read/write primitives and execute malware modules with system privileges.”
“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” they continued. “This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.”
Boris Larin, senior security researcher with Kaspersky’s Global Research and Analysis Team (GReAT), said that the team hasn’t been able to link these highly targeted attacks to any known threat actor: Hence the name PuzzleMaker and the determination to closely monitor the security landscape “for future activity or new insights about this group,” he was quoted as saying in the press release.
If the current trend is any indication, expect to see more of the same, Larin said. “Overall, of late, we’ve been seeing several waves of high-profile threat activity being driven by zero-day exploits,” he said. “It’s a reminder that zero days continue to be the most effective method for infecting targets. Now that these vulnerabilities have been made publicly known, it’s possible that we’ll see an increase of their usage in attacks by this and other threat actors. That means it’s very important for users to download the latest patch from Microsoft as soon as possible.”
The two Enhanced Cryptographic Provider Elevation of Privilege vulnerabilities are linked to the Adobe Reader bug that came under active attack last month (CVE-2021-28550), ZDI explained. “It’s common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits,” he explained. “It is a bit unusual to see a delay between patch availability between the different parts of an active attack, but good to see these holes now getting closed.”
Breen noted that privilege escalation vulnerabilities such as this one in the Microsoft DWM Core Library are just as valuable to attackers as RCEs. “Once they have gained an initial foothold, they can move laterally across the network and uncover further ways to escalate to system or domain-level access,” he said. “This can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools.”