BACKGROUND:
Researchers at Kaspersky technologies are reporting in MysterySnail attacks with Windows zero-day about a Chinese RAT attacking multiple Windows servers using a zero-day privilege escalation for insertion. Reporting: “We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules.” Excerpts:
… we analyzed the malware payload used along with the zero-day exploit and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities.
We are calling this cluster of activity MysterySnail. Code similarity and re-use of C2 infrastructure we discovered allowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity dating back to 2012.
The discovered exploit is written to support the following Windows products: Microsoft Windows: Vista, Windows 7, 8, 8.1, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, 10 (build 14393), Server 2016 (build 14393), 10 (build 17763) and Server 2019 (build 17763).
<p>Zero-day privilege escalation penetration attacks should be a primary concern to all security personnel. Attackers use these elevated privileges to move across the enterprise and stealthfully install malicious software like the Chinese MysterySnail. Linked to a Chinese APT group, MysterySnail Remote Access Trojan (RAT), decodes the relevant command-and-control (C2) address and attempts to connect to it for data exfiltration and data malicious executables including encryption tools for ransomware. </p>
<p>Zero-day attacks must be recognized as a fact of life for IT Security. The enterprise must practice identity security and have alerts on privilege escalation and conduct regular reviews of identities to ensure the principle of least privilege is practiced across the enterprise – to insure once a credential is compromised, the proper alerts occur and the damage in minimized.</p>
<p>Windows OS is under constant threat. This attack is an important reminder that cybersecurity requires constant vigilance and rapid response. Attackers are evolving tactics and code in an effort to find new vulnerabilities. We need to continue to invest in developing the next generation of cybersecurity professionals. The best defense against these threats is a high-caliber cybersecurity team.</p>
<p>We have the tools to find emerging professionals who have a cognitive predisposition to excelling in defensive thinking. We need this kind of expertise that is the right fit and can anticipate the next evolution of attack and move quickly to develop ways to detect and neutralize threats before they do serious harm.</p>
<p>The colorfully named MysterySnail exploit is the latest to burn a hole in Microsoft Windows’ pocket. First reported by Kaspersky, this zero-day exploit uses a Win32 kernel driver to elevate privileges on Windows systems to execute malicious code. Kaspersky reported it first to Microsoft, and while the company termed it “not crossing security boundaries”, it was recently patched.</p>
<p>With OS and application vulnerabilities arising almost daily, it’s clear that attackers are hard at work in discovering new exploits. Elevated privileges are good only if an attacker is able to get on the network in general but can result in running code that can steal data or otherwise harm the network. </p>
<p>Monitoring for unusual activity is one of the only ways of making sure that such breaches are caught and addressed quickly.</p>