Windows 10 targeted by PuzzleMaker hackers using Chrome zero-days

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Kaspersky security researchers discovered a new threat actor dubbed PuzzleMaker, who has used a chain of Google Chrome and Windows 10 zero-day exploits in highly-targeted attacks against multiple companies worldwide.

According to Kaspersky, the attacks coordinated by PuzzleMaker were first spotted during mid-April when the first victims' networks were compromised.

The zero-day exploit chain deployed in the campaign used a remote code execution vulnerability in the Google Chrome V8 JavaScript engine to access the targeted systems.

Next, the PuzzleMaker threat actors used an elevation of privilege exploit custom-tailored to compromise the latest Windows 10 versions by abusing an information disclosure vulnerability in the Windows kernel (CVE-2021-31955) and a Windows NTFS privilege escalation bug (CVE-2021-31956), both patched in the June Patch Tuesday.
Chrome and Windows zero-days galore
This is not the first Chrome zero-day exploit chain used in the wild in recent months.

Project Zero, Google's zero-day bug-hunting team, unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year.

The attacks took place in two separate campaigns, in February and October 2020, with at least a dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.

Project Zero researchers collected a trove of info from the exploit servers used in the two campaigns, including:
  • renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery
  • two sandbox escape exploits abusing three 0-day vulnerabilities in Windows
  • a "privilege escalation kit" composed of publicly known n-day exploits for older versions of Android
  • one full exploit chain targeting fully patched Windows 10 using Google Chrome
  • two partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser
  • several RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs present up to iOS 14.1)
"Overall, of late, we've been seeing several waves of high-profile threat activity being driven by zero-day exploits," added Boris Larin, senior security researcher with the Global Research and Analysis Team (GReAT).

"It's a reminder that zero days continue to be the most effective method for infecting targets."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top