Microsoft has released updates for its products: in total, this month the company fixed 74 bugs (81 if to include vulnerabilities in Microsoft Edge), three of which are classified as critical, four have the status of zero-day vulnerabilities, and one problem has already been adopted by hackers.
Of the four 0-day vulnerabilities under attack, there was already a privilege escalation issue related to the operation of the Win32k kernel driver. The problem was identified as CVE-2021-40449 (7.8 on the CVSS scale) and was discovered by Kaspersky Lab specialists.
In a detailed report, the experts said that the vulnerability belongs to the use-after-free class and was found in the NtGdiResetDC function of the Win32k driver. It leaks the addresses of kernel modules in the computer’s memory, and as a result, attackers use it to elevate the privileges of another malicious process.
The bug was reportedly abused by Chinese hackers who downloaded and launched RAT MysterySnail with it. It is reported that MysterySnail is most often used in espionage operations against IT companies, diplomatic organizations and companies working for the defense industry.
The experts managed to find a number of similarities in the code and functions of MysterySnail and the malware used by the well-known IronHusky group. Also, some C&C addresses were already used in 2012 in attacks by an APT group using the Chinese language.
In addition, quite interesting functions were implemented in the Trojan. So, Trojan not only knows how to view the list of connected drives, but can also monitor the connection of external drives in the background. In addition, the Trojan can launch the interactive shell cmd.exe, having previously copied the cmd.exe file itself to a temporary folder under a different name.the Kaspersky Lab said.
The exploit for CVE-2021-40449 supports a number of operating systems of the Microsoft Windows family: Vista, 7, 8, 8.1, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Windows 10 (build 14393), Server 2016 (build 14393 ), 10 (build 17763), and Server 2019 (build 17763). But, according to experts, it was written specifically to elevate privileges on server versions of the OS.
Also, as mentioned above, this month Microsoft fixed three other publicly disclosed vulnerabilities, which, however, were not used in hacker attacks:
- CVE-2021-40469 (CVSS 7,2) – vulnerability in Windows DNS Server, leading to remote code execution;
- CVE-2021-41335 (CVSS 7.8) – Windows kernel privilege escalation vulnerability;
- CVE-2021-41338 (CVSS 5.5) – A bypass vulnerability in the Windows AppContainer Firewall rules.
Let me remind you that I also reported that New feature in Exchange Server will apply fixes automatically.