- Apr 24, 2016
Kaspersky security researchers discovered a new threat actor dubbed PuzzleMaker, who has used a chain of Google Chrome and Windows 10 zero-day exploits in highly-targeted attacks against multiple companies worldwide.
According to Kaspersky, the attacks coordinated by PuzzleMaker were first spotted during mid-April when the first victims' networks were compromised.
Next, the PuzzleMaker threat actors used an elevation of privilege exploit custom-tailored to compromise the latest Windows 10 versions by abusing an information disclosure vulnerability in the Windows kernel (CVE-2021-31955) and a Windows NTFS privilege escalation bug (CVE-2021-31956), both patched in the June Patch Tuesday.
Chrome and Windows zero-days galore
This is not the first Chrome zero-day exploit chain used in the wild in recent months.
Project Zero, Google's zero-day bug-hunting team, unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year.
The attacks took place in two separate campaigns, in February and October 2020, with at least a dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.
Project Zero researchers collected a trove of info from the exploit servers used in the two campaigns, including:
"Overall, of late, we've been seeing several waves of high-profile threat activity being driven by zero-day exploits," added Boris Larin, senior security researcher with the Global Research and Analysis Team (GReAT).
- renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery
- two sandbox escape exploits abusing three 0-day vulnerabilities in Windows
- a "privilege escalation kit" composed of publicly known n-day exploits for older versions of Android
- one full exploit chain targeting fully patched Windows 10 using Google Chrome
- two partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser
- several RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs present up to iOS 14.1)
"It's a reminder that zero days continue to be the most effective method for infecting targets."