image
Researchers have discovered a zero-day exploit for Microsoft Windows that was being used to elevate privileges and take over Windows servers as part of a Chinese-speaking advanced persistent threat (APT) espionage campaign this summer. The exploit chain ended with a freshly discovered remote access trojan (RAT) dubbed MysterySnail being installed on compromised servers, with the goal of stealing data. Microsoft patched the bug (CVE-2021-40449) as part of its October Patch Tuesday updates, issued this week. According to a Tuesday analysis from Kaspersky researchers, the issue lurks in the Win32k kernel driver. It’s a use-after-free vulnerability, and “the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during execution of those callbacks,” they explained. “The CVE-2021-40449 is triggered when the function ResetDC is executed a second time for the same handle during execution of its own callback.” This ultimately results in a dangling memory pointer that points to a previously destroyed Proactive Data Container (PDC) object, according to Kaspersky. That means that a malformed PDC object can be used to perform a call to an arbitrary kernel function, and from there allows attackers to read and write kernel memory. “It’s possible to use publicly known techniques to leak kernel addresses of currently loaded drivers/kernel modules,” researchers said. MysterySnail RAT in Action As mentioned, the cybercriminals…

Source