Cyber criminals have conducted a series of highly targeted attacks against multiple companies utilising a previously undiscovered chain of Google Chrome and Microsoft Windows zero-day exploits, according to cybersecurity firm Kaspersky.

The firm’s experts discovered these attacks in April.

“One of the exploits was used for remote code execution in the Chrome web-browser, while the other was an elevation of privilege exploit fine-tuned to target the latest and most prominent builds of Windows 10,” it said.

‘Organisations can take at least 93 days to realise hacking has taken place’

The latter exploited two vulnerabilities in the Microsoft Windows OS kernel: Information Disclosure vulnerability CVE-2021-31955 and Elevation of Privilege vulnerability CVE-2021-31956. Microsoft has patched both as part of Patch Tuesday.

Dubbed PuzzleMaker

With the recent surge in advanced threat activity exploiting zero-days in the wild, Kaspersky experts in mid-April discovered a new wave of highly targeted exploit attacks against multiple companies that allowed the attackers to stealthily compromise the targeted networks.

Since they are yet to find any connection between these attacks and any known threat actors, experts have dubbed this actor PuzzleMaker.

All of the attacks were conducted through Chrome and utilised an exploit that allowed for remote code execution.

“While Kaspersky researchers were unable to retrieve the code for the remote execution exploit, the timeline and availability suggests the attackers were using the now-patched CVE-2021-21224 vulnerability,” it said.

Inside a ransomware attack: how dark webs of cybercriminals collaborate to pull one off

This vulnerability related to a Type Mismatch bug in the V8 – a JavaScript engine used by Chrome and Chromium web-browsers — allows the attackers to exploit the Chrome renderer process. It is the processes that are responsible for what happens inside users’ tab.

Kaspersky experts were, however, able to find and analyse the second exploit, which was an elevation of privilege exploit that exploits two distinct vulnerabilities in the Microsoft Windows OS kernel.

The first is an Information Disclosure vulnerability (a vulnerability that leaks sensitive kernel information), assigned CVE-2021-31955. Specifically, the vulnerability is linked to SuperFetch, a feature first introduced in Windows Vista that aims to reduce software loading times by pre-loading commonly used applications into memory.

The second vulnerability — an Elevation of Privilege vulnerability (a vulnerability that allows attackers to exploit the kernel and gain elevated access to the computer) was assigned the name CVE-2021-31956.

“Attackers used the CVE-2021-31956 vulnerability alongside Windows Notification Facility (WNF) to create arbitrary memory read/write primitives and execute malware modules with system privileges,” it explained.

Attackers leveraged these vulnerabilities, both in Chrome and Windows exploits to get into the targeted system. Once there, a more complex malware dropper was downloaded and executed from a remote server.

This dropper then installed two executable files, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables was a remote shell module, which is able to download and upload files, create processes, sleep for certain amounts of time, and delete itself from the infected system.

Microsoft released a patch for both Windows vulnerabilities as part of Patch Tuesday.

Downloading latest patch is key

“While these attacks were highly targeted, we have yet to link them to any known threat actor. That’s why we’ve dubbed the actor behind them “PuzzleMaker” and will be closely monitoring the security landscape for the future activity or new insights about this group,” said Boris Larin, Senior Security Researcher with the Global Research and Analysis Team (GReAT).

“Overall, of late, we’ve been seeing several waves of high-profile threat activity being driven by zero-day exploits. It’s a reminder that zero-days continue to be the most effective method for infecting targets. Now that these vulnerabilities have been made publicly known, it’s possible that we’ll see an increase in their usage in attacks by this and other threat actors. That means it’s very important for users to download the latest patch from Microsoft as soon as possible,” added Larin.