Menu Close

Microsoft Kills Exploited Bug – Mystery Snail Espionage Campaign!

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Microsoft’s Oct. 2021 Patch Tues. included security fixes for 74 vulnerabilities, 1 of which is a zero-day being used to deliver the Mystery Snail RAT to Windows servers.

For Oct. 2021 Patch Tues. it delivers fixes for 4 zero-day vulnerabilities, 1 of which is being exploited in a far-reaching espionage campaign that delivers the new Mystery Snail RAT malware to Windows servers.

Microsoft reported a total of 74 vulnerabilities, 3 of which are rated critical.

Mystery Snail

Security researchers pointed to CVE-2021-40449, an elevation of privilege vulnerability in Win32k, as standing out from the crowd of patches, given that It’s been exploited in the wild as a zero-day.

This summer, Kaspersky researchers discovered that the exploit was being used to elevate privileges & take over Windows servers as part of a Chinese-speaking advanced persistent threat (APT) campaign from the APT Iron Husky.

The exploit chain ended with a freshly discovered remote access trojan (RAT) dubbed Mystery Snail being installed on compromised servers, with the goal of stealing data.

Compromised Hosts

Bharat Jogi, Qualsys Senior Manager of Vulnerability & Threat Research, explained on Tues. that if left unpatched, “Mystery Snail has the potential to collect & exfiltrate system information from compromised hosts, in addition to other malicious users having the ability to gain complete control of the affected system & launch further attacks.”

Jay Goodman, Automox Director of Product Marketing, told warned that these kinds of privilege elevation attacks “can be used to access beyond what the current user context of the device would allow, enabling attackers to perform unauthorised action, delete or move data, view private information, or install malicious software.”

This bug, rated Important, is found in all supported versions of Windows.

Remote Code Execution

Greg Wiseman, Rapid7 Senior Security Researcher, explained that this vulnerability is “likely being used alongside Remote Code Execution (RCE) and/or social engineering attacks to gain more complete control of targeted systems.”

Satnam Narang, Staff Research Engineer at Tenable, noted that elevation of privilege flaws “are most valuable in post-compromise scenarios once an attacker has gained access to a target system through other means, in order to execute code with elevated privileges.”

Compromised Host

Immersive Labs’ Kevin Breen, Director of Cyber Threat Research, stated that this all points to prioritising this patch, particularly given how common these vulnerabilities are in ransomware attack chains: “Gaining this level of access on a compromised host is the 1st step towards becoming a domain admin & securing full access to a network,” he outlined.

“Almost every ransomware attack reported this year has included the use of 1 or more privilege escalation vulnerabilities as part of the attacker’s workflow, so this is serious stuff indeed.”

A Print Nightmare Fix

Other fixes released in the Oct. Patch Tues. batch include those that address what was a summer’s full of Print Spooler-related patches. There’s been a steady stream of these patches for flaws in Windows Print Spooler following June’s disclosure of the Print Nightmare vulnerability – a bug that allowed threat actors to conduct remote code execution (RCE) & to gain local system privileges.

This month’s release includes a fix for CVE-2021-36970, a spoofing vulnerability in Microsoft’s Windows Print Spooler that has a CVSSv3 score of 8.8.

Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, stated that the spoofing vulnerability fix Microsoft put out today is meant to fix the problems that previous patches have introduced.

Management Problems

“While Microsoft provided a fix in their Sept. 2021 update, the patch resulted in a number of management problems,” he described. “Certain printers required users to repeatedly input their administrator credentials every time an application attempted to print or had a client connect to a print server.

“Other problems included event logs recording error messages & denying users the ability to perform basic prints” he continued. “As a result, many may have likely skipped the update due to its operational impact, ultimately leaving the risk posed by Print Nightmare in place.”

Print Spooler

This vulnerability was discovered by researchers Xue Feng Li & Zhiniang Peng of Sangfor, who were also credited with the discovery of CVE-2021-1675, 1 of 2 vulnerabilities known as Print Nightmare.

Satnam Narang, Staff Research Engineer at Tenable noted that

“While no details have been shared publicly about the flaw, this is definitely one to watch for, as we saw a constant stream of Print Spooler-related vulnerabilities patched over the summer while ransomware groups began incorporating Print Nightmare into their affiliate playbook. We strongly encourage organisations to apply these patches as soon as possible.”

RCE Affects Microsoft Word, Office, SharePoint

Another vulnerability worth noting is CVE-2021-40486, a critical RCE affecting Microsoft Word, Microsoft Office & some versions of SharePoint Server that can be exploited via the Preview Pane.

Gina Geisel, Automox Product & Partner Marketing Professional, noted that this vulnerability is not new to Microsoft, with several other similar CVEs documented this year. In this case, the RCE vulnerability exists in some Microsoft apps when they fail to properly manage objects in memory.

Specially Crafted File

With a low attack complexity, this vulnerability requires a user opening a specially crafted file either by email or via a website, either hosted by the attacker or through a compromised website that accepts or hosts user-provided content.

“An attacker who successfully exploits this vulnerability can use this file to perform actions in the context of the current user,” Geisel explained. “For example, the file could take actions on behalf of the logged-on user with the same permissions as the current user.”

Microsoft SharePoint Server RCE

Immersive Labs’ Breen explained that this RCE vulnerability – tracked as CVE-2021-40487 rated as 8.1 out of 10 CVSS score & marked as “exploitation more likely” – will be more difficult for an attacker to exploit, given that it requires an authenticated user on the domain.

But gaining RCE on a SharePoint server “opens up a lot of avenues for further exploitation,” he noted.

“Internal SharePoint servers are often used to host company-sensitive documents and provide an intranet for staff to interact with,” Breen explained.

“If an attacker could manipulate the content of these articles or replace valid documents with malicious ones, they could steal credentials or trick targeted users into installing additional malware.”

Highest CVSS Award

CVE-2021-26427, the latest in Exchange Server RCEs, takes the severity prize this month, with a CVSS score of 9.0 out of 10. In spite of this high severity rating, Microsoft has marked it as being “exploitation less likely,” perhaps due to what Breen called the “network adjacent vector.”

So, he explained, “an attacker would already need access to your network in order to exploit this vulnerability. Email servers will always be prime targets, simply due to the amount of data contained in emails & the range of possible ways attackers could use them for malicious purposes.”

While it is not “right at the top” of Breen’s list of priorities to patch, “it’s certainly one to be wary of.”

Rapid7’s Wiseman concurs: This is a notable vulnerability, though it’s mitigated “by the fact that attacks are limited to a ‘logically adjacent topology,’” meaning, in other words, that it can’t be exploited directly over the public Internet.

Windows Hyper-V

Wiseman called on virtualisation administrators to take note of 2 RCEs affecting Windows Hyper-V: CVE-2021-40461 & CVE-2021-38672, both of which affect relatively new versions of Windows & which are considered critical.

Windows Hyper-V is a native hypervisor that can create & run virtual machines (VMs) on x86-64 systems running Windows. These 2 flaws both allow a VM to escape from guest to host by triggering a memory allocation error, allowing it to read kernel memory in the host.

Malicious Guest VM

Christopher Hass, Autmox Director of Information Security & Research, stated that exploitation of these bugs “could allow a malicious guest VM to read kernel memory in the host.”

Neither vulnerability has been exploited publicly, & exploitation is less likely, however organisations using Hyper-V should patch these vulnerabilities as soon as possible, Hass recommended.

Domain Admin

There’s 1 bug that punches above its weight range: the DNS server remote code execution (RCE) vulnerability that’s tracked as CVE-2021-40469.

Jake Williams, Co-Founder & CTO at Breach Quest, calls this one “interesting,” as per, that curse about living in interesting times.

Its base score severity rating is 7.2, but its attack complexity is low, & an attack can be launched remotely. Exploitation does, however, require what VulDB calls “an enhanced level of successful authentication.”

Proof of Concept

Even if that makes it tough to weaponise, this bug is still potentially very nasty, given that, for one thing, it has been publicly disclosed in a proof of concept, & also that DNS servers are in such a crucial spot.

“While it will likely be difficult to weaponise, DNS servers are typically run-on domain controllers, making this extremely serious,” Williams noted.

Domain Controller

“A threat actor that gains remote code execution on a domain controller is likely to gain immediate domain administrator permissions. In the best-case scenario, they are a mere step away from taking domain administrator.”

This isn’t the 1st time that Microsoft has had to stomp on an RCE vulnerability in DNS server this year, including in March’s Patch Tues. updates. This time around, the vulnerability affects various versions of Windows 7, 8.1 & 10, as well as Windows Server.

Windows Kernel Elevation of Privilege Flaw

CVE-2021-41335, an elevation of privilege vulnerability that exists when the Windows kernel fails to properly manage objects in memory, is rated high severity, & it has been publicly disclosed in a proof-of-concept (POC) showing how successful exploitation could allow an attacker to run arbitrary code in kernel mode.

Exploitation would enable an attacker to install programs; view, change, or delete data; or create accounts with full user rights. To exploit this vulnerability, an attacker would 1st have to log on to the system & then run a specially crafted application to take control of the system.

Justin Knapp, Automox Senior Product Marketing Manager, explained that “Elevation of privilege vulnerabilities like this are often an important step in the cyber kill chain & should be immediately prioritised & patched.”

Windows App Container Firewall

Tracked as CVE-2021-41338, this vulnerability is, again, high severity – it allows an attacker to bypass the security rules of Windows App Container Firewall – as well as publicly disclosed.

App Containers are designed to protect against infiltration from 3rd-party apps. They isolate the runtime environment of applications with the goal of blocking malicious code.

This vulnerability results in loss of confidentiality & can be exploited without any user interaction.

Maarten Buis, Automox Product Marketing Manager, noted that a successful attacker that exploits this vulnerability could run arbitrary code on the endpoint, but they need to have administrative privileges before they can meaningfully exploit it.

Endpoint Conditions

“However, there is still a significant risk because no user interaction is required, & no special endpoint conditions are required for an attack to succeed,” Buis explained.

There are no reports of the vulnerability having been actively exploited – yet. Still, Automox recommends a rapid patch rollout – as in, within 72 hours of the patch being made available – given that it has been publicly disclosed in a proof of concept by James Forshaw of Google’s Project Zero.

Aleks Haugom, Automox product marketing manager, noted that, given the sheer number of apps users download, “making sure that App Containers cannot be compromised is important to every company’s security hygiene.”

How to Prioritise?

Williams said that he does not want to sound like a broken record, but he is still going to say what security experts say every Patch Tues. To wit, “Patch now.”

That is particularly true for the Mystery Snail campaign, he explained: “Seriously, this is not a patch Tues. to delay on,” he advised.

“Threat actors are actively exploiting the vulnerability for CVE-2021-40449 to elevate from user to administrator permissions on compromised systems.

Phishing Attacks

While CVE-2021-40449 does not allow for remote exploitation, that does not mean it can be taken lightly. Threat actors regularly gain access to target machines using phishing attacks & vulnerabilities such as CVE-2021-40449 allow them to evade more effectively bypass endpoint controls & evade detection.”

Besides which, Mystery Snail’s success in weaponising this flaw means that other APTs will soon follow, Williams outlined:

“Because the code for this has already been weaponised by 1 threat actor, we should expect to see it weaponised by others more quickly because there is already sample exploit code in the wild to work with.”

RCE Vulnerabilities

Danny Kim, Principal Architect at Virsec, who spent time at Microsoft during his graduate work on the OS security development team, voted for prioritising the 3 critical remote code execution vulnerabilities: CVE-2021-40469, CVE-2021-26427 & CVE-2021-40487, which affect a wide range of Windows versions.

“These vulnerabilities not only have a high to critical CVSS rating, but 2 of the 3 attacks (CVE-2021-40487, CVE-2021-40469) can be executed remotely,” he stressed. “Remote Code Execution (RCE) attacks are especially devastating because once the exploit is executed, the attackers can launch any kind of cyber-attack, including ransomware.

He noted that RCE vulnerabilities were also the root cause of the Hafnium & Kaseya attacks.

Server Workloads

“Trying to mitigate the attacker’s actions after they have gained access is significantly harder than stopping the actions that led to the successful exploit,” Kim pointed out.

“This is why runtime monitoring of enterprises’ server workloads is becoming a key part of today’s cyber-security. Stopping the exploitation of these vulnerabilities has to start with equipping the servers themselves with constant, deterministic runtime protection, not just detection.”

Virtual Conference November 2021

 

More To Explore

Community Area

Books

Home Workouts

Recipe

spaghetti Bolognese
Days
Hours
Minutes
Seconds