Six of the vulnerabilities that Microsoft fixed in its June Patch Tuesday update have been exploited in the wild, including two that were used along with a Chrome flaw as part of an exploit chain in targeted attacks in April.
Those attacks affected a small number of companies and researchers at Kaspersky dug into the details of the exploits and discovered the two Windows flaws, one of which is an information disclosure (CVE-2021-31955) and the other is an elevation of privilege (CVE-2021-31956). The flaws affect all of the current versions of Windows, and the attacks that Kaspersky observed in April used a separate Chrome zero day to gain initial access to victims’ computers.
“All of the observed attacks were conducted through Chrome browser. Unfortunately, we were unable to retrieve the JavaScript with full exploit code, but the timeframe of attacks and events preceding it led us to suspect one particular vulnerability.
“On April 14, 2021, Google released Chrome update 90.0.4430.72 for Windows, Mac and Linux with a fix for 37 vulnerabilities. On the same day, a new Chrome exploit was presented to the public,” Kaspersky researchers wrote in a post.
“This newly published exploit used a vulnerability from issue 1195777, worked on the newly released Chrome 90.0.4430.72, and was fixed as CVE-2021-21224 only a few days later, on April 20, 2021. We suspect the attackers were also able to use this JavaScript file with regression test to develop the exploit (or acquire it from someone else) and were probably using CVE-2021-21224 in their attacks.”
The Kaspersky researchers were not able to retrieve the Chrome exploit, but they identified four separate modules that are installed on compromised machines after the exploit chain is used. There is a stager, a dropper, a service, and a remote shell module, and all of the stager modules downloaded the other pieces from site that’s designed to look like a legitimate news site.
“The dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack. We couldn’t find any similarities between this and other known malware,” the Kaspersky researchers said.
In addition to the two vulnerabilities used in those attacks, Microsoft patched a vulnerability discovered by a researcher from Google Project Zero that has been used in attacks, as well. That flaw (CVE-2021-33742) is in the Windows MSHTML browser engine, and Google researchers said there are indications that it was sourced from a commercial exploit broker.
“More details will be on CVE-2021-33742 will come from the team, but for context this seem to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting,” Shane Huntley, director of Google’s Threat Analysis Group, said on Twitter.
“I'm happy we are getting better at detecting these exploits and the great partnerships we have to get the vulnerabilities patched, but I remain concerned about how many are being discovered on an ongoing basis and the role of commercial providers.”
The three other vulnerabilities patched in June that have been exploited are CVE-2021-33739, CVE-2021-31199, and CVE-2021-31201, but no details are available about the exploitation.