Windows users are on the trail of a MysterySnail as Microsoft patches a newly discovered zero-day under active exploitation that is being used to deliver a remote access trojan (RAT) to targets across multiple industries in a nation state-linked cyber espionage campaign.
Assigned CVE-2021-40449, the zero-day is an elevation of privilege vulnerability that affects the Win32k kernel driver. The exploit affects Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Microsoft Windows Server 2012, Microsoft Windows Server 2012 R2, Microsoft Windows 10 (build 14393), Microsoft Windows Server 2016 (build 14393), Microsoft Windows 10 (build 17763) and Microsoft Windows Server 2019 (build 17763).
The MysterySnail malware itself can collect and steal system information from compromised hosts and also provides a gateway to other attacks, such as ransomware. More information on the RAT is available from Kaspersky.
The vulnerability surfaced in late summer when Kaspersky’s automated detection technology thwarted a series of attacks using an elevation-of-privilege exploit on Microsoft Windows Server to try to deliver the MysterySnail malware.
At first glance, the attacks seemed to be linked to a vulnerability first disclosed in 2016 but on digging deeper, Kaspersky’s global research and analysis team (GReAT) found the new zero-day, CVE-2021-40449, likely linked to a long-running Chinese-linked campaign by the IronHusky advanced persistent threat (APT) group, targeting IT firms, military and defence contractors, and diplomatic entities.
Immersive Labs cyber threat research director Kevin Breen urged defenders to patch against CVE-2021-40449 as a priority. “Attackers are already using it against organisations to gain admin rights,” he said. “This is the first step towards becoming a domain admin and securing full access to a network. Almost every ransomware attack reported this year has included the use of one or more privilege-escalation vulnerabilities as part of the attacker’s workflow, so this is serious stuff.”
Besides MysterySnail, Redmond issued patches for 73 other vulnerabilities and three other zero-days in its latest monthly update. The other zero-days are: CVE-2021-40469, a remote code execution (RCE) vulnerability in Windows DNS Server; CVE-2021-41335, another elevation of privilege vulnerability in Windows Kernel; and CVE-2021-41338, a firewall rules bypass vulnerability in Windows AppContainer.
Malicious actors are also likely to be paying attention to a number of other vulnerabilities, which are already being assessed by the wider security community. Tenable staff research engineer Satnam Narang drew attention to CVE-2021-39670, a spoofing vulnerability in Windows Print Spooler.
“The vulnerability was discovered by researchers XueFeng Li and Zhiniang Peng of Sangfor,” said Narang. “They were also credited with the discovery of CVE-2021-1675, one of two vulnerabilities known as PrintNightmare.
“While no details have been shared publicly about the flaw, this is definitely one to watch for, as we saw a constant stream of Print Spooler-related vulnerabilities patched over the summer while ransomware groups began incorporating PrintNightmare into their affiliate playbook.”
Rapid7 product manager Greg Wiseman also flagged some vulnerabilities that threat actors may take an interest in. “Another notable vulnerability is CVE-2021-26427, the latest in Exchange Server RCEs,” he said. “The severity is mitigated by the fact that attacks are limited to a ‘logically adjacent topology’, meaning that it cannot be exploited directly over the public internet.
“Three other vulnerabilities related to Exchange Server were also patched: CVE-2021-41350, a spoofing vulnerability; CVE-2021-41348, allowing elevation of privilege; and CVE-2021-34453, which is a denial of service vulnerability.”
Wiseman added: “Virtualisation administrators should be aware of two RCEs affecting Windows Hyper-V: CVE-2021-40461 and CVE-2021-38672. Both affect relatively new versions of Windows and are considered critical, allowing a VM to escape from guest to host by triggering a memory allocation error, allowing it to read kernel memory in the host.”
Despite the headline bugs, October’s Patch Tuesday was notably lighter on both total and critical vulnerabilities, said Eric Feldman, senior product marketing manager at Automox. “While October brings us Halloween and all types of spookiness, fortunately our worst nightmares did not come true with this month’s Patch Tuesday. Your environment shouldn’t turn into a house of horrors.
“The trend for total number of vulnerabilities is stable, with October’s number of 74 slightly below the monthly average of 77 for the year. Good news for all ITOps and SecOps professionals is the trend for critical vulnerabilities. October’s total of three not only matches September’s low point for the year, but it represents a 66% reduction over the 2021 monthly average. And this trend looks solid when we see that October’s critical vulnerabilities number represents a 46% reduction compared to the six-month moving average.”
Feldman added: “Automox recommends that all critical and exploited vulnerabilities are patched within a 72-hour window, in particular those highlighted this month. With a lighter load than average this month, hopefully SecOps and IT teams will not see their patching activities turned into fright night.”
