Researchers have discovered a zero-day exploit for Microsoft Windows that was being used to elevate privileges and take over Windows servers as part of a Chinese-speaking advanced persistent threat (APT) espionage campaign this summer. The exploit chain ended with a freshly discovered remote access trojan (RAT) dubbed MysterySnail being installed on compromised servers, with the goal of stealing data. Microsoft patched the bug (CVE-2021-40449) as part of its October Patch Tuesday updates, issued this week. According to a Tuesday analysis from Kaspersky researchers, the issue lurks in the Win32k kernel driver. It’s a use-after-free vulnerability, and “the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during execution of those callbacks,” they explained. “The CVE-2021-40449 is triggered when the function ResetDC is executed a second time for the same handle during execution of its own callback.” This ultimately results in a dangling memory pointer that points to a previously destroyed Proactive Data Container (PDC) object, according to Kaspersky. That means that a malformed PDC object can be used to perform a call to an arbitrary kernel function, and from there allows attackers to read and write kernel memory. “It’s possible to use publicly known techniques to leak kernel addresses of currently loaded drivers/kernel modules,” researchers said. MysterySnail RAT in Action As mentioned, the cybercriminals…
https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png 0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2021-10-12 15:34:002021-10-12 15:34:00Windows Zero-Day Actively Exploited in Widespread Espionage Campaign
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org