Kaspersky tracks Windows zero days to ‘Moses’ exploit author


New research by Kaspersky Lab shows a rise in APT groups leveraging exploits to gain initial foothold in a target network, including recent, high-profile zero-day vulnerabilities in Microsoft Exchange Server as well as Windows.

The security vendor released its APT Trends Report Q2 Thursday, which documented an uptick in certain activity over the last few months. Researchers found that advanced persistent threat (APT) groups  committed several supply chain attacks in recent months. For example, Kaspersky found the Chinese-speaking APT group it tracks as “BountyGlad” compromised a digital certificate authority in February. According to the report, the group demonstrated an increase in “strategic sophistication with this supply-chain attack.” 

However, one of the most significant trends was a shift in tactics. Kaspersky researchers found that while APT groups mainly use social engineering to gain an initial foothold, Q2 saw an increase in using zero days and exploits. Several of the zero-days, including two Windows vulnerabilities that were patched earlier this year, were traced to an exploit developer Kaspersky has dubbed “Moses.”

“Various marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as “Moses”,” the report said.

Both are Microsoft Windows zero days that received a CVSS score of 7.8 and designated as elevation of privilege vulnerabilities.

Kaspersky had previously identified Moses in its APT Trends Report for Q1. According to the Q2 report, “Moses” appears to make exploits available to several APTs, but so far researchers have only confirmed two groups that have  utilized exploits developed by Moses: Bitter APT and Dark Hotel.

Kaspersky researchers David Emm and Ariel Jungheit told SearchSecurity that they are two distinct groups, and it is unclear why Moses presumably worked with them. However, one of the groups’ targets appears to be known.

“In the case of Bitter APT, our telemetry indicates that the exploits have been used against targets inside Pakistan, though they could have been used against targets inside China also,” Emm and Jungheit…

Source…