Chinese APT group IronHusky exploits zero-day Windows Server privilege escalation

One of the vulnerabilities patched by Microsoft Tuesday has been exploited by a Chinese cyberespionage group since at least August. The attack campaigns targeted IT companies, defense contractors and diplomatic entities.

According to researchers from Kaspersky Lab, the malware deployed with the exploit and its command-and-control infrastructure point to a connection with a known Chinese APT group tracked as IronHusky that has been operating since 2017, but also with other China-based APT activity going back to 2012.

Privilege escalation vulnerability in Windows GDI driver

The group was observed leveraging a previously unknown vulnerability in Win32k.sys, a system driver that’s part of the Windows Graphics Device Interface (GDI), which has been a common source of vulnerabilities in the past. The flaw, tracked as CVE-2021-40449, affects all supported Windows versions and those that are no longer supported and allows code to be executed with system privileges.

Since this is a privilege escalation vulnerability, it is only used to gain complete control of the targeted systems but is not the original method of entry. The exploit used in the attacks borrows code from a public exploit for another Wink32k vulnerability patched in 2016 (CVE-2016-3309). Despite the exploit being written to support all versions of Windows since Vista, the Kaspersky researchers only saw it being used on Windows servers.

“In the discovered exploit attackers are able to achieve the desired state of memory with the use of GDI palette objects and use a single call to a kernel function to build a primitive for reading and writing kernel memory,” the researchers said in their report. “This step is easily accomplished, because the exploit process is running with Medium IL and therefore it’s possible to use publicly known techniques to leak kernel addresses of currently loaded drivers/kernel modules. In our opinion, it would be preferable if the Medium IL processes had limited access to such functions as NtQuerySystemInformation or EnumDeviceDrivers.”

MysterySnail RAT

The hackers used the privilege escalation exploit to deploy a remote shell Trojan (RAT) that Kaspersky dubbed MysterySnail….