MysterySnail: Kaspersky finds zero-day exploit for Windows OS
Kaspersky has uncovered a zero-day exploit for Windows OS.
In late August and early September 2021, Kaspersky’s technologies prevented a series of attacks using an elevation of privilege exploit on multiple Microsoft Windows servers.
The exploit had many debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but upon closer analysis Kaspersky researchers discovered a new zero-day exploit.
Kaspersky researchers have dubbed the cluster of activity MysterySnail.
A zero-day vulnerability is an unknown software bug discovered by attackers before the vendor has become aware of it. Since the vendors are unaware, no patch exists for zero-day vulnerabilities, making attacks likely to succeed unexpectedly. Throughout the first half of the year, Kaspersky experts observed an increase in attacks exploiting zero-days.
According to Kaspersky, the discovered code similarity to, and re-use of, Command and Control (C&C) infrastructure led the researchers to connect these attacks with the infamous IronHusky group and Chinese-speaking APT activity dating back to 2012.
Analysing the malware payload used with the zero-day exploit, Kaspersky researchers found variants of this malware were used in widespread espionage campaigns against IT companies, military and defence contractors and diplomatic entities.
The vulnerability was reported to Microsoft and patched on October 12, 2021, as a part of the October Patch Tuesday.
“For the past few years, we have observed the set trend on the attackers’ consistent interest in finding and exploiting new zero-days," says Boris Larin, security expert at Kaspersky Global Research and Analysis Team (GReAT).
"Previously unknown to vendors vulnerabilities, they can pose a serious threat to organisations. However, most of them share similar behaviours," he says.
“That’s why it is important to rely on the latest threat intelligence and install security solutions that proactively find unknown threats."
To protect organisations from attacks exploiting the aforementioned vulnerabilities, Kaspersky experts recommend:
- Update Microsoft Windows OS and other third party software as soon as possible and do so regularly
- Use a reliable endpoint security solution powered by exploit prevention, behaviour detection and a remediation engine that is able to roll back malicious actions
- Install anti-APT and EDR solutions, enabling threat discovery and detection capabilities, investigation and timely remediation of incidents.
- Provide the SOC team with access to the latest threat intelligence and regularly upskill them with professional training.
Founded in 1997, Kaspersky is a global cybersecurity and digital privacy company. Kaspersky’s deep threat intelligence and security expertise is aims to provide innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe.
The company’s security portfolio includes leading endpoint protection and a number of specialised security solutions and services to fight sophisticated and evolving digital threats.