A zero-day vulnerability is an unknown software bug. Upon identification and discovery, they allow attackers to conduct malicious activities in the shadows, resulting in unexpected and destructive consequences.
Anand Puri, a principal researcher with Qualys, says the CVE-2021-28310 is an “out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe).” Microsoft has given this CVE a temporal score of 7.2 from the vendor and should be prioritized for patching.
Hold it! Tracing steps!
While analysing the CVE-2021-1732 exploit, Kaspersky experts found another such zero-day exploit and reported it to Microsoft in February 2021. After confirmation that it is indeed a zero-day, it received the designation CVE-2021-28310.
Used in the wild, this exploit is an escalation privilege (EoP) exploit, found in Desktop Window Manager, allowing the attackers to execute arbitrary code on a victim’s machine.
Kaspersky theorises that the exploit is used together with other browser exploits to escape sandboxes or obtain system privileges for further access. The company said its initial investigation has not revealed the full infection chain. Meaning not enough is known about the exploit, including whether the exploit is used with another zero-day or coupled with known, patched vulnerabilities.
In his blog, Paturi said “BITTER APT group is suspected of exploiting this CVE in the wild.” This is the same conclusion reached by Kaspersky researchers.
“The exploit was initially identified by our advanced exploit prevention technology and related detection records,” commented Boris Larin, security expert at Kaspersky.
Sammy Migues, principal scientist, Synopsys Software Integrity Group, has his own theories about the exploit. He opines that for this zero-day, the attacker needs to get on the machine and run malware or get a local user to run malware on the attacker's behalf.
“That means all your basic IT security needs to be solid, so ensure all user apps are up to date, your anti-phishing training is done, your endpoint security and exfiltration protection elements are up to date, your endpoint least privilege mechanisms are also up to date, and so on,” he cautioned.
Patching
A patch for the elevation of privilege vulnerability CVE-2021-28310 was released on April 13th, 2021. Kaspersky products detect this exploit with the following verdicts:
- HEUR:Exploit.Win32.Generic
- HEUR:Trojan.Win32.Generic
- PDM:Exploit.Win32.Generic
Pre-emptive strategy
Synopsys’ Migues suggested to immediately examine systems looking for indicators of compromise and take appropriate actions if you find anything.
“You can wait for the patch and then patch. While you're waiting for the patch, you can ensure you have an accurate list of all the things that need to be patched when the patch arrives (and if you can't make that list then you need to work on your asset inventory capabilities),” he continued.
Kaspersky recommends
- Install patches for the new vulnerability as soon as possible. Once it is downloaded, threat actors can no longer abuse the vulnerability.
- Vulnerability and patch management capabilities in an endpoint protection solution can significantly simplify the task for IT security managers.
- Provide your SOC team with access to the latest threat intelligence (TI).
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage.
Click here for more details about the CVE as listed by NIST (National Institute of Standards and Technology) in the US.