Home » Technology » MysterySnail: Kaspersky finds zero-day exploit for Windows OS

MysterySnail: Kaspersky finds zero-day exploit for Windows OS

Utrecht, October 13, 2021 – After analyzing a series of blocked attacks in the late summer of 2021, Kaspersky researchers discovered a new zero-day vulnerability that used an elevation of privilege exploit on multiple Microsoft Windows servers.

During the first half of the year, Kaspersky experts observed an increase in attacks using zero-days. A zero-day vulnerability is an unknown software bug that is discovered by attackers before the software provider knows about it. Because the provider is not aware, there is no patch for these zero-day vulnerabilities and attacks have a high chance of success.

Kaspersky discovered a series of attacks using an elevation of privilege exploit on multiple Microsoft Windows servers. This exploit had many debug strings from an older, publicly known exploit for the vulnerability called CVE-2016-3309, but closer analysis revealed that Kaspersky researchers had discovered a new zero-day. Kaspersky researchers call this cluster of activities MysterySnail.

The discovered code match with, and reuse of, Command and Control (C&C) infrastructure led researchers to link these attacks to the infamous IronHusky group and Chinese-speaking APT activity dating back to 2012.

Kaspersky researchers analyzed the malware payload used with the zero-day vulnerability and found that variants of this malware were used in widespread espionage campaigns against IT companies, military and defense suppliers, and diplomatic parties.

The vulnerability was reported to Microsoft and patched on October 12, 2021, as part of the October Patch Tuesday.

Kaspersky products detect and protect against the exploit for the aforementioned vulnerability and associated malware modules.

Boris Larin, security expert at Kaspersky Global Research and Analysis Team (GReAT): “Over the past few years, we have seen a trend in attackers showing a consistent interest in finding and exploiting new zero-days. With previously unknown vulnerabilities from suppliers, they can pose a serious threat to organizations. That’s why it’s important to rely on the latest threat intelligence and install security solutions that proactively detect unknown threats.”

Read more about this new zero-day on Securelist.

To protect your organization from attacks that exploit the aforementioned vulnerabilities, Kaspersky experts recommend updating Microsoft Windows OS and other third-party software as quickly and regularly as possible. In addition, it is recommended to use a reliable endpoint security solution that includes exploit prevention, behavior detection and a remediation engine that can roll back malicious actions. Also install anti-APT and EDR solutions so that threats can be traced and detected, incidents investigated and corrected in a timely manner. Provide your SOC team with access to the latest threat intelligence and regularly update them with professional training. Along with good endpoint protection, special services can help against high-profile attacks. The Kaspersky Managed Detection and Response service can help identify attacks early and stop them before attackers reach their target.

###

Over Kaspersky
Founded in 1977, Kaspersky is active worldwide in the field of cybersecurity and digital privacy. Kaspersky’s threat intelligence and security expertise is continuously transformed into innovative security solutions and services to protect businesses, critical infrastructures, governments and consumers around the world. The company’s comprehensive security portfolio includes industry-leading endpoint security and a number of specialized security solutions and services to combat advanced digital threats. More than 400 million users and 240,000 business users are protected by Kaspersky technologies. For more information, visit www.kaspersky.nl.

This article is a submitted message and is not the responsibility of the editors.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.