forked from nccgroup/Threat-Intelligence-Alerts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Threat Intelligence Alert 13.10.21 - Microsoft Patch Tuesday Fixed 4 Zero-Days 1 of Which is Being Actively Exploited
38 lines (23 loc) · 2.91 KB
/
Threat Intelligence Alert 13.10.21 - Microsoft Patch Tuesday Fixed 4 Zero-Days 1 of Which is Being Actively Exploited
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Published: 13/10/2021
Threat Intelligence Alert: Microsoft Patch Tuesday: Fixed 4 Zero-Days (1 of Which is Being Actively Exploited)
Key Details
CVE-2021-40449, CVE-2021-41338, CVE-2021-40469, and CVE-2021-41335.
Disclosure Date – October 12th, 2021
CVSS Score – N/A
Affected Products – Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser.
Exploit Released – Yes
Patch Available – Yes
Summary
CVE-2021-40449
This Win32k Elevation of Privilege Vulnerability is being exploited in the wild in a distribution of attacks dubbed “MysterySnail” by Kaspersky in a report released on the 12th of October. The attacks were first noticed in late August and early September and led to the discovery of this zero-day in the Win32k driver, where a threat actor attempts to leak the base addresses of kernel modules. After installing a RAT, threat actors would elevate it to higher privileges using this technique. According to Kaspersky CVE-2021-40449 has been used in "widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities", their researchers have attributed this campaign to a Chinese APT they refer to as IronHusky.
CVE-2021-41338, CVE-2021-40469, and CVE-2021-41335
The reporting on these zero-days is significantly less substantial as there are no known incidences of their exploitation in the wild. CVE-2021-40469 is a Windows DNS Server Remote Code Execution Vulnerability, CVE-2021-41335 is another Windows Kernel Elevation of Privileges Vulnerability, and finally CVE-2021-41338 is a Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability.
Mitigation
We recommend that all of our customers install the latest security patch released by Microsoft yesterday to fully mitigate this assortment of security flaws. Further information on this can be found on: https://msrc.microsoft.com/update-guide/
NCC Group Actions
The NCC Group Threat Intelligence Team has created a watchlist for all of these CVEs in our external source monitoring tool to identify additional updates and further IOCs associated with these vulnerabilities.
We have also created an event in our internal threat intelligence platform to correlate any observed instances of exploitation of this vulnerability reported by our incident response teams and external reports shared through our intelligence sources. Our detection engineers are currently assessing the “MysterySnail” by Kaspersky for detection opportunities, the IOCs included within that report have also been added to our threat intelligence database for detection purposes and threat hunting.
Sources
https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2021-patch-tuesday-fixes-4-zero-days-71-flaws/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40449
https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/