Kaspersky security researchers have discovered a new threat actor dubbed PuzzleMaker, who has used a chain of Windows 10 zero-day exploits in highly targeted attacks against multiple companies worldwide. The most harmful (assigned the catalogue number CVE-2021-33742) can allow malicious web pages to compromise the Windows operating system via Internet Explorer and other Microsoft programs. Once the attackers have used the exploits to compromise the targeted system, the stager module downloads to the target machine and executes a more complex malware dropper from a remote command and control server. Microsoft Edge is also affected when it is in “Internet Explorer mode”, according to the Microsoft description of the flaw, which labels it “Critical”.
The 6 exploited vulnerabilities are: CVE-2021-31955, CVE-2021-31956, CVE-2021-33739, CVE-2021-33742, CVE-2021-31199, & CVE-2021-31201
CVE-2021-31955 and CVE-2021-31956 are a Windows Kernel Information Disclosure vulnerability and a Windows NTFS Elevation of Privilege vulnerability, respectively. These two vulnerabilities have been used in conjunction with Google Chrome and were at the root of a chain of real-world exploits.
CVE-2021-33739 – is an elevation of privilege zero-day vulnerability in the Microsoft Desktop Window Manager (DWM) Core Library.
CVE-2021-33742 is a Windows MSHTML Platform Remote Code Execution Vulnerability – a component used by the Internet Explorer engine to read and display content from websites. As the library is used by other services and applications, emailing HTML files as part of a phishing campaign is also a viable method of delivery.
CVE-2021-31199 and CVE-2021-31201 are Microsoft Enhanced Cryptographic Provider Elevation of Privilege vulnerabilities. Both these CVEs can be collectively used as an initial infection point via targeted phishing attacks, targeting Adobe Reader users on Windows via weaponized PDF files.
Securelist has published a detailed technical description and listed the indicators of compromise
ITC Qualys customers can scan their network with QID 91722 to detect vulnerable assets. The ITC SOC will be reaching out to customers who have a Managed Vulnerability Intelligence service to offer ad hoc scans to identify affected operating systems.
Multiple Microsoft Windows products including Microsoft Office, .NET Core & Visual Studio, the Edge browser, Windows Cryptographic Services, SharePoint, Outlook, and Excel.
To safeguard your corporate security against the exploits used in the PuzzleMaker attack, install the operating system patches that address these vulnerabilities which Microsoft have released on 8th June 2021 Patch Tuesday Windows Security Updates:
Customers should act quickly to apply these fixes, which are outlined in the following section and available at the URLs cited in the Sources section.
If your organisation is unable to immediately apply these official security patches from Microsoft, then a vulnerability scan would identify vulnerable devices and the current risk exposure.
ITC’s managed Vulnerability Intelligence customers will have already had these identified using Qualys.
ITC’s Sentinel SIEM service actively monitors for indications of attackers who may leverage vulnerabilities such as these to gain access to customer networks and our analysts carry out proactive threat hunting to search for related indicators of compromise. Our Managed Detection and Response customers will have received proactive tailored remediation advice already.