Windows 10 targeted by PuzzleMaker hackers using Chrome zero-days


Level 59
Thread author
Top poster
Content Creator
Apr 24, 2016
Kaspersky security researchers discovered a new threat actor dubbed PuzzleMaker, who has used a chain of Google Chrome and Windows 10 zero-day exploits in highly-targeted attacks against multiple companies worldwide.

According to Kaspersky, the attacks coordinated by PuzzleMaker were first spotted during mid-April when the first victims' networks were compromised.

The zero-day exploit chain deployed in the campaign used a remote code execution vulnerability in the Google Chrome V8 JavaScript engine to access the targeted systems.

Next, the PuzzleMaker threat actors used an elevation of privilege exploit custom-tailored to compromise the latest Windows 10 versions by abusing an information disclosure vulnerability in the Windows kernel (CVE-2021-31955) and a Windows NTFS privilege escalation bug (CVE-2021-31956), both patched in the June Patch Tuesday.
Chrome and Windows zero-days galore
This is not the first Chrome zero-day exploit chain used in the wild in recent months.

Project Zero, Google's zero-day bug-hunting team, unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year.

The attacks took place in two separate campaigns, in February and October 2020, with at least a dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.

Project Zero researchers collected a trove of info from the exploit servers used in the two campaigns, including:
  • renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery
  • two sandbox escape exploits abusing three 0-day vulnerabilities in Windows
  • a "privilege escalation kit" composed of publicly known n-day exploits for older versions of Android
  • one full exploit chain targeting fully patched Windows 10 using Google Chrome
  • two partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser
  • several RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs present up to iOS 14.1)
"Overall, of late, we've been seeing several waves of high-profile threat activity being driven by zero-day exploits," added Boris Larin, senior security researcher with the Global Research and Analysis Team (GReAT).

"It's a reminder that zero days continue to be the most effective method for infecting targets."