New 'MysterySnail' exploit used to hijack Windows Server deployments
Microsoft has now patched the vulnerability in the October Patch Tuesday
Cybersecurity experts have helped quash a mysterious new remote access trojan (RAT) that exploited a zero-day in an essential Windows driver to launch a privilege escalation exploit.
Discovered and reported by Kaspersky, Microsoft has patched the zero-day that was exploited by the trojan in the October 2021 edition of Patch Tuesday.
“The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day. We discovered that it was using a previously unknown vulnerability in the Win32k driver…,” observed the researchers.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- Here's our list of the best small business servers available
- These are the best dedicated server hosting providers
- We’ve also rounded up the best bare metal hosting services
Named MysterySnail by Kaspersky, the trojan’s code and use of the command and control (C2) infrastructure leads the researchers to associate the attack with the Chinese threat actor known as IronHusky.
Zero-day exploit
Analysis of the exploit revealed that it was written to attack not just the latest Windows 10 and Windows Server 2019 releases, but also older, even supported ones going as far back as Windows Vista.
Further analyses of its malicious payload revealed similarities with several variants that were previously used in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities.
Security experts TechRadar Pro spoke to agreed that while zero-day attacks have unfortunately become a fact of life for enterprise security, businesses can minimize their damage with active monitoring.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“With OS and application vulnerabilities arising almost daily, it’s clear that attackers are hard at work in discovering new exploits. Monitoring for unusual activity is one of the only ways of making sure that such breaches are caught and addressed quickly,” says Saryu Nayyar, CEO of security vendor Gurucul.
Furthermore, access review experts YouAttest believe thorough and regular reviews of identities will also help de-fang privilege escalation exploits.
“Enterprises must practice identity security and have alerts on privilege escalation and conduct regular reviews of identities to ensure the principle of least privilege is practiced across the enterprise - to insure once a credential is compromised, the proper alerts occur and the damage in minimized," believes Garret Grajek, CEO, YouAttest.
- Here are the best cloud hosting services on the market
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.