Security researchers are warning of a series of highly targeted attacks designed to compromise victim networks via Google Chrome and Microsoft Windows zero-day exploits.
The attackers are thought to have first exploited the now-patched CVE-2021-21224 remote code execution bug in Chrome.
The second stage was an elevation of privilege exploit linked to two separate vulnerabilities in the Microsoft Windows OS kernel. The first, CVE-2021-31955, can lead to disclosure of sensitive kernel information, while the second, CVE-2021-31956, is a heap-based buffer overflow bug.
Kaspersky claimed that attackers CVE-2021-31956 alongside the Windows Notification Facility (WNF) to create arbitrary memory read/write primitives and execute malware modules with system privileges.
Once they’ve gained a foothold in victim networks by exploiting these three flaws, the stager modules execute a more sophisticated malware dropper from a remote server, which in turn installs to executables masquerading as legitimate Windows files.
One of these is a remote shell module designed to download and upload files, create processes, lie dormant for periods of time, and delete itself from the infected system, Kaspersky said.
Microsoft patched both vulnerabilities in this week’s Patch Tuesday security update round while Google has already fixed the Chrome flaw.
The research team has yet to link the attacks to any known threat actor, so is dubbing the group behind it “PuzzleMaker.”
“Overall, of late, we’ve been seeing several waves of high-profile threat activity being driven by zero-day exploits. It’s a reminder that zero days continue to be the most effective method for infecting targets,” argued Boris Larin, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
“Now that these vulnerabilities have been made publicly known, it’s possible that we’ll see an increase of their usage in attacks by this and other threat actors. That means it’s very important for users to download the latest patch from Microsoft as soon as possible.”