In the late northern Summer 2021, Kaspersky’s automated detection technologies prevented a series of attacks using an elevation of privilege exploit on multiple Microsoft Windows servers. Upon closer analysis into the attack, Kaspersky researchers discovered a new zero-day exploit.
Throughout the first half of the year, Kaspersky experts have observed an increase in attacks exploiting zero-days. A zero-day vulnerability is an unknown software bug discovered by attackers before the vendor has become aware of it. Since the vendors are unaware, no patch exists for zero-day vulnerabilities, making attacks likely to succeed unexpectedly.
Kaspersky technologies detected a series of attacks using an elevation of privilege exploit on multiple Microsoft Windows servers. This exploit had many debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that Kaspersky researchers had discovered a new zero-day. Kaspersky researchers have dubbed this cluster of activity MysterySnail.
The discovered code similarity to, and re-use of, Command and Control (C&C) infrastructure led the researchers to connect these attacks with the infamous IronHusky group and Chinese-speaking APT activity dating back to 2012.
Analysing the malware payload used with the zero-day exploit, Kaspersky researchers found variants of this malware were used in widespread espionage campaigns against IT companies, military and defense contractors, and diplomatic entities.
The vulnerability was reported to Microsoft and patched on 12 October 2021, as a part of the October Patch Tuesday.
Kaspersky products detect and protect against the exploit for the above vulnerability and associated malware modules.
“For the past few years, we have observed the set trend on the attackers’ consistent interest in finding and exploiting new zero-days. Previously unknown to vendors vulnerabilities, they can pose a serious threat to organisations. However, most of them share similar behaviors. That’s why it is important to rely on the latest threat intelligence and install security solutions that proactively find unknown threats,” comments Boris Larin, security expert at Kaspersky Global Research and Analysis Team (GReAT).
Learn more about MysterySnail attacks with Windows zero-day on Securelist.
To protect your organisation from attacks exploiting the aforementioned vulnerabilities, Kaspersky experts recommend:
- Update Microsoft Windows OS and other third-party software as soon as possible and do so regularly.
- Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions.
- Install anti-APT and EDR solutions, enabling threat discovery and detection capabilities, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.
- Along with proper endpoint protection, dedicated services can help against high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop attacks in the early stages before attackers achieve their goals.