Microsoft says that a high-severity Windows zero-day vulnerability patched during the February 2021 Patch Tuesday was exploited in the wild since at least the summer of 2020 according to its telemetry data.
The actively exploited zero-day bug is tracked as ‘CVE-2021-1732 – Windows Win32k Elevation of Privilege Vulnerability.’
It allows local attackers to elevate their privileges to the admin level by triggering a use-after-free condition in the win32k.sys core kernel component.
CVE-2021-1732 can be exploited by attackers with basic user privileges in low complexity attacks that don’t require user interaction.
Luckily, threat actors are required to have code execution privileges for successful exploitation. However, this can be easily achieved by tricking the target into opening malicious attachments sent via phishing emails.
Microsoft has not yet confirmed that this was one of the attack vectors used by threat actors in the wild.
Exploited in the wild since mid-2020
The vulnerability was discovered and reported to the Microsoft Security Response Center on December 29 by researchers at DBAPPSecurity.
According to their report, the zero-day was being actively used in targeted attacks by an advanced persistent threat (APT) group tracked as Bitter (Forcepoint) and T-APT-17 (Tencent).
Bitter is known for information theft and espionage campaigns targeting China, Pakistan, and Saudi Arabia since at least 2013 [1, 2, 3, 4].
As they observed, the threat actor was using a CVE-2021-1732 exploit specifically targeting Windows 10 1909 systems, even though the zero-day impacts multiple Windows 10 and Windows Server up to the latest released versions.
The exploit used in Bitter’s targeted attacks was shared on December 11 on the VirusTotal public malware research platform, but threat actors started exploiting the zero-day in mid-2020 Microsoft observed after analyzing telemetry data.
The company’s findings are reinforced by DBAPPSecurity’s research saying that the in-the-wild sample they found in December had a compilation date of May 2020.
Vulnerability still under active exploitation
Starting with February 2021, threat actors have been only using CVE-2021-1732 exploits in a small number of attacks focused on targeting devices from the Middle East.
Based on this, attackers exploited this zero-day without being detected for multiple months, continued to abuse it in attacks for several weeks until the bug was patched by Microsoft, and are still using it in targeted attacks.
During these attacks, the threat actors are also using techniques designed to help them evade detection by security solutions to exploit the vulnerability on unpatched devices, under specific conditions.
Microsoft shared this info in a private security advisory shared earlier this month with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) subscribers.
In November 2020, Microsoft patched another elevation of privileges zero-day found in the Windows Kernel Cryptography Driver found and publicly disclosed by Google’s 0day bug-hunting team Project Zero one month earlier.
Before being fixed by Redmond, this zero-day was also actively used by threat actors in targeted attacks.