I’m an old punk rocker, so it’s no surprise that I’m a fan of the New York Dolls. Why am I mentioning this? Because a zero-day exploit affecting a wide range of Microsoft Windows platforms made me chant out loud “who’s the mysterious snail?” Go to Google if this somewhat confusing musical reference leaves you definitely confused.
Attackers are already exploiting this Windows zero-day vulnerability
For the MysterySnail vulnerability to stand out among the many featured in the latest Patch Tuesday security update was quite an achievement. To be fair, there was a lot of competition, with a total of 71 vulnerabilities patched this month, including four zero-days and three rated as critical.
CVE-2021-40449, to be fair, was not rated as critical by Microsoft, but maybe it should have been. While not a remote code execution vulnerability, but rather an elevation of privilege, it was the only one of the four known to be actively exploited by attackers.
Discovered by Kaspersky researchers, CVE-2021-40449 has been exploited in “widespread espionage campaigns against IT companies, military and defense contractors, and diplomatic entities,” the researchers said.
This exploit campaign was dubbed MysterySnail by these same researchers for reasons beyond me, but whatever, as naming conventions don’t really matter.
Windows 11 gets MysterySnail security update a week after launch
However, what matters is that this privilege escalation exploit has been used against Windows servers in the wild for a few months. In addition to fixing the vulnerability in Windows 7, Windows 8, Windows 10, and Windows Server (all affected platforms are listed here), the new Windows 11 operating system has also been updated with attack protection. MysterySnail.
That said, although listed as fixed, there is no evidence to suggest that Windows 11 is currently actively targeted by attackers.
“It is not uncommon to see elevation of privilege flaws corrected during Patch Tuesday,” said Satnam Narang, research engineer at Tenable, “these flaws are more valuable in post-compromise scenarios once they are an attacker gained access to a target system by other means, in order to execute code with elevated privileges. ” Rapid7 product manager Greg Wiseman said CVE-2021-40449 was “likely used with remote code execution (RCE) and / or social engineering attacks to gain more complete control of systems targeted “.
MysterySnail is the latest to “burn a hole” in Microsoft Windows pocket
Saryu Nayyar, CEO of Gurucul, said the MysterySnail exploit is the latest to put a dent in Microsoft Windows’ pocket. “With operating system and application vulnerabilities occurring almost daily,” she said, “it is clear that attackers are working hard to uncover new exploits. Elevated privileges are only good if an attacker is able to access the network in general, but may result in execution of code that may steal data or damage the network in some other way. ”
You can find all the technical details of this Windows zero-day exploit, including the operating process and indicators of compromise, on Kaspersky SecureList. Boris Larin, security expert on Kaspersky’s global research and analysis team and co-author of this in-depth report, said Kaspersky has observed attackers who are constantly interested in finding and exploiting new zeros. -days, which is hardly a surprise. His advice is also not to apply the latest security patches as soon as possible.