News
Kaspersky finds zero-day exploit in Desktop Window Manager
April 2021 by Kaspersky
Kaspersky’s researchers, upon further analysis into the already reported CVE-2021-1732 exploit, used by the BITTER APT group, have discovered another zero-day exploit. The experts are currently unable to link this exploit to any known threat actor.
A zero-day vulnerability is basically an unknown software bug. Upon identification and discovery, it allows attackers to conduct malicious activities in the shadows, resulting in unexpected and destructive consequences.
While analysing the CVE-2021-1732 exploit, Kaspersky experts found another zero-day exploit and reported it to Microsoft in February. After confirmation that it is indeed a zero-day, it received the designation CVE-2021-28310.
According to the researchers, this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit, found in Desktop Window Manager, allowing the attackers to execute arbitrary code on a victim’s machine.
It is likely that the exploit is used together with other browser exploits to escape sandboxes or obtain system privileges for further access.
Kaspersky’s initial investigation has not revealed the full infection chain, so it is yet not known whether the exploit is used with another zero-day or coupled with known, patched vulnerabilities.
“The exploit was initially identified by our advanced exploit prevention technology and related detection records. In fact, over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and time again. We will continue to improve defenses for our users by enhancing our technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone,” comments Boris Larin, security expert at Kaspersky.
Kaspersky products detect this exploit with the following verdicts:
• HEUR:Exploit.Win32.Generic
• HEUR:Trojan.Win32.Generic
• PDM:Exploit.Win32.Generic
To stay safe from this threat, Kaspersky recommends taking the following security measures:
• Install patches for the new vulnerability as soon as possible. Once it is downloaded, threat actors can no longer abuse the vulnerability.
• Vulnerability and patch management capabilities in an endpoint protection solution can significantly simplify the task for IT security managers.
• Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights that have been gathered by Kaspersky for more than 20 years.
• In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
For further details on the new exploit, see the full report on Securelist.
To take a closer look at the technologies that detected this and other zero-days in Microsoft Windows, a recorded Kaspersky webinar is available to view on demand.
