Microsoft fixes zero-day vulnerability reportedly exploited by Chinese spies. The company’s October fixing patches plan also includes this zero-day vulnerability among 71 others. This year is already counted as the richest on 0-day breaches, but the party seems to be far from over.
Chinese spies behind the CVE-2021-40449 zero-day vulnerability
The company usually releases patches on the second Tuesday each month, known as Patch Tuesday. This time-release fixes 71 flaws, among them one actively exploited. Security flaws were found in Edge browser, Microsoft Office, Visual Studio, Exchange Server, and MSHTML. They all received security updates. Cyber security specialists assigned two of them critical ratings, 68 as important and one low severity rating. Three were already made public before the patches release and one that goes by the identification CVE-2021-40449 was discovered in the wild.
This exploit was detected and reported by Boris Larin, the malware analyst. He is responsible for the detection and prevention of advanced threats such as exploits. According to the report the exploit was used to target Microsoft Windows servers.
“Besides finding the zero-day in the wild, we analyzed the malware payload used along with the zero-day exploit, and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities,”colleagues Costin Raiu and Larin wrote on the cyber security blog.1
The very first noticed specific elevation-of-privilege attack activity on Windows Servers was detected in late August and early September this same year. CVE-2021-40449 helped attackers to bypass Windows security. It was a “use-after-free” information disclosure issue. The attackers were identified as a Chinese-speaking “IronHusky” APT group that has been on the scene since 2012. They used the Win32k vulnerability in order to spy, the researchers say. Hackers generally made a remote access Trojan (RAT) to establish a command-and-control point on Windows Server. Code that was used in these attacks got the “MysterySnail” name.
Another flaw in Exchange servers reported by U.S. National Security Agency
Another flaw that got quite a media attention is CVE-2021-26427. It has a CVSS score of 9.0 and was reported by the U.S. National Security Agency. In March hackers used it to drain emails from and to inject hundreds of companies with backdoors. Exchange servers are high-value targets for hackers looking to probe business networks. The severity is also enforced by the fact that everything is limited to logically adjacent topology and that implies not directly over the internet exploitation.
Microsoft marked this flaw as not likely to be under exploitation radar. The reason is that hackers would need to have access to your network in order to use this vulnerability. But cyber security specialists warn that this can be not the first thing to attend to while fixing patches but certainly need to be kept in view. Emails have always been a primary target for hackers. It is simply because of the data contained in them that can be used for different malicious purposes.