Background
Security researchers have observed a significant shift in tactics from the Magnitude Exploit Kit (EK) this week with the addition of exploits for Chromium-based browsers and Microsoft Windows. Exploit Kits are web applications that threat actors install on compromised web sites that work by detecting the user’s browser and launching a web-based exploit to infect the victim’s computer with malware if it is determined to be vulnerable.
Exploit Kits have had a long history of being used by threat actors in drive-by attacks to infect victims that visit a compromised website and were most prevalent from 2010-2017. In recent years, Exploit Kit development has dropped off and the active ones have mainly focused on targeting Internet Explorer users since exploits for that browser are easier to develop. The addition of exploits for Chromium-based browsers opens up the Magnitude EK victim pool to now include users of Google Chrome and Microsoft Edge.
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
CVE-2021-21224 |
8.8 |
High |
Remote Code Execution |
A vulnerability that exists in Chromium based browsers that can lead to remote code execution. |
CVE-2021-31956 |
7.8 |
High |
Privilege Escalation |
A vulnerability in Windows can lead to elevation of privileges. |
Analysis
CVE-2021-31956
CVE-2021-31956 is a privileges escalation vulnerability within Windows New Technology File System (NTFS) which could allow a local user to elevate their privileges on an affected system. A local user could use this vulnerability with a crafted application in order to take control of a system. This vulnerability affects all currently supported Windows variants including Windows Server and Windows Server Core Installations. Microsoft notes that this flaw has been actively exploited in the wild as zero-day vulnerability. Kaspersky researchers credited and found the link between this vulnerability to an attack chain from the PuzzleMaker Group, which includes the use of an unidentified Google Chrome zero-day vulnerability.
CVE-2021-21224
April 20,2021, CVE-2021-21224 has been issued with type confusion in V8 in Google Chrome that could have allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Like CVE-2021-31956, Kaspersky researchers also found the link between CVE-2021-21224 to an attack chain from the PuzzleMaker Group on the same security research article.
Solutions and Recommendations
Arctic Wolf’s recommendation is to apply the patch for CVE-2021-21224 and CVE-2021-31956 to prevent Remote Code Execution or privilege escalation scenarios in your environment. Details on how to apply this patch for your specific software can be found here:
Affected Software | CVE | Patched Versions |
Google Chrome | CVE-2021-21224
|
|
Microsoft Edge | CVE-2021-21224
|
|
Microsoft Windows | CVE-2021-31956 |
|
References
- Google Chrome 90.0.4430.85 Release
- Microsoft Edge CVE-2021-21224 Advisory
- Microsoft October 2021 Patch Tuesday Release
- Latest Stable Release of Google Chrome
- Latest Stable Release of Microsoft Edge
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.