Windows Zero-Day Actively Exploited in Widespread Espionage Campaign

The cyberattacks, linked to a Chinese-speaking APT, deliver the new MysterySnail RAT to Windows servers.

Researchers have discovered a for Microsoft Windows that was being used to elevate privileges and take over Windows servers as part of a Chinese-speaking (APT) espionage campaign this summer. The exploit chain ended with a freshly discovered remote access trojan (RAT) dubbed MysterySnail being installed on compromised servers, with the goal of stealing data.

Microsoft patched the bug (CVE--40449) as part of its October Tuesday updates, issued this week.

According to a Tuesday analysis from Kaspersky researchers, the issue lurks in the Win32k kernel driver. It’s a use-after-free vulnerability, and “the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during execution of those callbacks,” they explained. “The CVE-2021-40449 is triggered when the function ResetDC is executed a second time for the same handle during execution of its own callback.”

This ultimately results in a dangling memory pointer that points to a previously destroyed Proactive Data Container (PDC) object, according to Kaspersky. That means that a malformed PDC object can be used to perform a

Read More: https://threatpost.com/windows-zero-day-exploited-espionage/175432/