Kaspersky security researchers discovered a new threat actor named PuzzleMaker, which has used a string of zero-day exploits from Google Chrome and Windows 10 in highly targeted attacks against various companies around the world. According to Kaspersky, the attacks coordinated by PuzzleMaker were first detected in mid-April, when the networks of the first victims were compromised.
The zero-day exploit chain deployed in the campaign used a remote code execution vulnerability in the Google Chrome V8 JavaScript engine to access target systems. In addition, it was identified that the first exploit in the chain, although not confirmed, appears to be CVE-2021-21224, a V8 confusion vulnerability in the Google Chrome browser prior to 90.0.4430.85.
Google issued a patch for the severe flaw on April 20, which if exploited, allowed remote attackers to execute arbitrary code inside a sandbox through a crafted HTML page. This isn’t the first string of Chrome zero-day exploits used in the wild in recent months. Project Zero, Google’s zero-day bug search team, revealed a large-scale operation in which a group of hackers used 11 zero days to attack Windows, iOS and Android users in a single year.
Project Zero researchers collected a large amount of information from the exploit servers used in the two campaigns, including:
▸Two sandbox escape exploits that abuse three day 0 vulnerabilities in Windows
Sandboxes, by design, are intended for developer, testing, and protection environments, thus separating the activities of a main system. For a chain of exploits to work, an escape from the sandbox would be the next necessary step.
▸Renderer exploits for four bugs in Chrome, one of which was still a day 0 at the time of discovery
▸ Privilege escalation kit made up of publicly known n-day exploits for older versions of Android
▸A complete exploit chain targeting Windows 10 fully patched using Google Chrome
▸Two partial strings targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung browser
Organizations are encouraged to maintain frequent patch schedules and apply relevant fixes, even more so if bugs are actively exploited. As we saw with the Microsoft Exchange Server incident in March, attackers will quickly address security issues as soon as they are publicly known.
Also check:
Siloscape is the first threat to attack Windows containers
Vovalex – Ransomware posing as Windows utilities
