News

PuzzleMaker Cluster Attacks Companies with 0-Day Vulnerabilities in Chrome and Windows 10

Photo of Daniel Zimmermann Daniel ZimmermannJune 9, 2021
0 70 1 minute read

Kaspersky Lab specialists announced that the new PuzzleMaker group attacks companies around the world. Targeted attacks exploit a chain of zero-day vulnerabilities in the Google Chrome browser and Windows 10.

According to researchers, a new grouping PuzzleMaker stands behind the campaign, and the first attacks were discovered in mid-April 2021.

None of the artifacts we analyzed appear to have strong connections to any known threat actors. The only similarity to CHAINSHOT we observed is the “PreviousMode” technique, although this is publicly known and may be used by various groups. We are calling the threat actor behind these attacks PuzzleMaker.researchers at Kaspersky Lab said.

The chain of vulnerabilities exploited in the attacks includes a remote code execution issue in the Google Chrome V8 JavaScript engine (as LC was unable to obtain a full exploit for this vulnerability).

While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.specialists explained.

We also investigated two vulnerabilities in Windows – CVE-2021-31955 (information disclosure in the Windows kernel) and CVE-2021-31956 (privilege escalation in Windows NTFS). Microsoft fixed both issues as part of its June Patch Tuesday.

Attackers gained access to the target system through a vulnerability in Chrome and then exploited CVE-2021-31955 and CVE-2021-31956 to compromise Windows.

According to experts, PuzzleMaker used the Windows Notification Facility (WNF) in conjunction with the exploitation of CVE-2021-31956 to execute malicious modules on the system.

After exploiting vulnerabilities in Chrome and Windows to access the target system, the attackers initiated a download from a remote server and execution of a more complex dropper […] This dropper installs two executable files masked as legitimate Windows files. The second of these files is a shell capable of unloading files, creating processes, going into sleep mode for a specified time, and deleting itself from the infected system.the researchers told.

Let me remind you that we wrote that Most of the exploits for 0-Day vulnerabilities are developed by private companies.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Tags
Photo of Daniel Zimmermann Daniel ZimmermannJune 9, 2021
0 70 1 minute read
Photo of Daniel Zimmermann

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Tool for solving CAPTCHA

Experts created a tool for solving CAPTCHA in the dark web

January 18, 2022
Comac C919 hacker attack and espionage

Crowdstrike: the creation of the Chinese Comac C919 aircraft was accompanied by hacker attacks and cyber espionage

October 18, 2019
android outlook app

Information security experts published an exploit for Outlook for Android vulnerability

June 27, 2019
access to SolarWinds hackers servers

IS experts gained access to the servers of hackers who attacked SolarWinds

March 22, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2024, All Rights Reserved  | Adware.Guru;
Back to top button