New 'MysterySnail' exploit used to hijack Windows Server deployments

Trojan
(Image credit: wk1003mike / Shutterstock)

Cybersecurity experts have helped quash a mysterious new remote access trojan (RAT) that exploited a zero-day in an essential Windows driver to launch a privilege escalation exploit. 

Discovered and reported by Kaspersky, Microsoft has patched the zero-day that was exploited by the trojan in the October 2021 edition of Patch Tuesday.

“The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day. We discovered that it was using a previously unknown vulnerability in the Win32k driver…,” observed the researchers.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=LFFFsT0HpgsyUe0tTFumBJohXK8Sedt0ARpsCF4DRGR+oCoVbvd+2+d8+UNIIx4L" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

Named MysterySnail by Kaspersky, the trojan’s code and use of the command and control (C2) infrastructure leads the researchers to associate the attack with the Chinese threat actor known as IronHusky. 

Zero-day exploit

Analysis of the exploit revealed that it was written to attack not just the latest Windows 10 and Windows Server 2019 releases, but also older, even supported ones going as far back as Windows Vista.

Further analyses of its malicious payload revealed similarities with several variants that were previously used in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities.

Security experts TechRadar Pro spoke to agreed that while zero-day attacks have unfortunately become a fact of life for enterprise security, businesses can minimize their damage with active monitoring.

“With OS and application vulnerabilities arising almost daily, it’s clear that attackers are hard at work in discovering new exploits. Monitoring for unusual activity is one of the only ways of making sure that such breaches are caught and addressed quickly,” says Saryu Nayyar, CEO of security vendor Gurucul.

Furthermore, access review experts YouAttest believe thorough and regular reviews of identities will also help de-fang privilege escalation exploits.

“Enterprises must practice identity security and have alerts on privilege escalation and conduct regular reviews of identities to ensure the principle of least privilege is practiced across the enterprise - to insure once a credential is compromised, the proper alerts occur and the damage in minimized," believes Garret Grajek, CEO, YouAttest.  

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.