Microsoft has fixed a Windows use-after-free vulnerability that was being actively exploited by cybercriminals in a recent malware campaign.
The zero-day vulnerability (CVE-2021-40449), patched by Microsoft in its October Patch Tuesday updates, exists in the NtGdiResetDC function of the Win32k kernel driver. This important-severity flaw requires no user interaction to exploit and could give bad actors elevated privileges on the victim’s machine.
“As with many other Win32k vulnerabilities, the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during execution of those callbacks,” said Boris Larin, with Kaspersky's Global Research and Analysis Team (GReAT), who discovered the flaw. “The CVE-2021-40449 is triggered when the function ResetDC is executed a second time for the same handle during execution of its own callback.”
Kaspersky researchers observed the vulnerability being exploited as part of a cluster of attacks, which they dubbed MysterySnail, in late August and early September. As part of these attacks, the bad actors were installing a remote access trojan (RAT) and leveraging the zero-day Windows flaw in order to achieve elevated privileges. The RAT had the capabilities to collect and exfiltrate data from the system, get directory lists, spawn new processes and read and delete files.
We discovered the zero-day exploit to be used only in a relatively small number of attacks and they were highly targeted," said Larin. "It’s clear that the goal of attackers was to keep a low profile and avoid the detection. We expect to see the increase of such attacks now when the vulnerability is already fixed but not all customers installed necessary updates.
Upon analyzing the malware payload used alongside the exploit for the zero-day flaw, Kaspersky researchers uncovered other variants of the malware. These variants were used in espionage campaigns against various IT companies, military contractors and diplomatic entities, they said.
“Code similarity and re-use of C2 infrastructure we discovered allowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity dating back to 2012,” said Larin, along with Costin Raiu, director of Global Research and Analysis Team, in a Tuesday analysis. IronHuskey is a Chinese-speaking actor, first discovered in 2017, which is focused on tracking the geopolitical agenda of targets in central Asia with a special focus in Mongolia, according to Kaspersky researchers.
Microsoft issued a fix for the flaw on Tuesday, along with 70 other vulnerabilities. One of these flaws, an important-severity remote code execution vulnerability (CVE-2021-26427), was discovered in Microsoft Exchange server by the National Security Agency (NSA). Microsoft’s security advisory said that exploitation of this vulnerability is “less likely” - however, NSA Cybersecurity Collaboration Center Director Morgan Adamski strongly encouraged Microsoft users to patch, adding that Exchange servers are “attractive targets for our adversaries” - as seen in various previous campaigns, such as the Hafnium group's exploitation of Exchange bugs in March.
“This bug is not as severe since this exploit is limited at the protocol level to a logically adjacent topology and not reachable from the Internet,” said Dustin Childs, communications manager for the Zero Day Initiative on Tuesday. “This flaw, combined with the other Exchange bugs patched this month, should keep Exchange admins busy for a while.”
Microsoft also issued fixes for critical-severity flaws during this month’s Patch Tuesday, including two remote code execution vulnerabilities (CVE-2021-40461 and CVE-2021-38672) in Windows Hyper-V, Microsoft’s hardware virtualization product.
For successful exploitation of the latter bug, “this vulnerability could allow a malicious guest VM to read kernel memory in the host,” according to Microsoft. “To trigger this vulnerability the guest VM requires a memory allocation error to first occur on the guest VM. This bug could be used for a VM escape from guest to host.”
Another critical vulnerability (CVE-2021-40486) in Microsoft Word could allow remote code execution if a specially crafted Word document is viewed on a vulnerable system. The flaw stems from a lack of validation of the existence of an object before performing operations on the object.
“Although Microsoft lists user interaction required, the Preview Pane is also listed as an attack vector. This creates a much larger attack surface,” according to Childs.