Last April, Kaspersky experts discovered a number of micro-targeted attacks against several companies exploiting a previously undetected set of zero-day vulnerabilities in the Google Chrome browser and in the Windows operating system. from Microsoft Windows, which allows criminals who discover its presence to launch surprise attacks.
One of the vulnerabilities was used to remotely execute code in the popular Chrome web browser, while the other was an upgrade of the privilege after it was precisely tuned to target the latest versions of Windows 10. The latest attack actually exploits two vulnerabilities in the kernel of the popular Microsoft operating system: an information disclosure vulnerability, awarded the code CVE-2021-31955, and a privilege upgrade vulnerability CVE-2021-31956. On Tuesday, Microsoft released and implemented a patch for both vulnerabilities as part of what has become known in the software world as “Tuesday” software patches.
The past few months have seen a wave of advanced threats exploiting “zero-day” vulnerabilities in existing and operating systems. In mid-April, Kaspersky experts discovered a new wave of micro-targeted exploit attacks against several companies that allowed attackers to surreptitiously hack it.
Kaspersky has not yet found a link between these attacks and any known malicious actors. Therefore, I named the party behind it the name PuzzleMaker.
The second vulnerability, related to privilege elevation, allowed attackers to exploit the kernel and gain elevated privilege access to the computer, and granted the code CVE-2021-31956. The attackers used this vulnerability along with the Windows Alerts tool WNF to create simple read/write random memory and execute malware modules with system privilege.
After the attackers exploit the vulnerabilities to establish a foothold in the target system, the Attack Phase Management module downloads and executes a sophisticated malware launch tool that is downloaded from a remote server. This launcher, in turn, installs two executables disguised as two native Windows system files, one of which is a remote-controlled shell that downloads and uploads files, creates processes, runs for certain periods of time, and even deletes itself from the infected system.
On Tuesday, Microsoft released and implemented a patch for both vulnerabilities in what became known as “Tuesday” software patches.
Despite the accuracy of targeting these attacks, Kaspersky experts did not find any link between them and any known malicious party, according to Boris Larin, the senior security researcher in Kaspersky’s Global Research and Analysis Team, who said that this prompted his team to name the malicious party PuzzleMaker. who are behind the attacks, and added: “We will closely monitor the security landscape of the activity of this group and everything that may be related to it, and in general, we have recently seen several waves of high-profile threat activities that exploited “zero-day” software vulnerabilities, which is considered A warning that this type of attack is still an effective way to hit targets, and it is now possible to witness an increase in the exploitation of these vulnerabilities, after they have been announced, by this party and other malicious parties. Therefore, it is important for users to download the latest version of Windows as soon as possible.