PuzzleMaker using Chrome zero-day exploit to get into your Windows PC
PuzzleMaker using Chrome zero-day exploit to get into your Windows PC
THREAT LEVEL: Red.
For a detailed advisory, download the pdf file here.
A chain of zero-day vulnerabilities is being used by a new threat actor, PuzzleMaker. PuzzleMaker uses a chrome V8 type confusion vulnerability (CVE-2021-21224), which allows the attacker to execute an arbitrary code via a crafted HTML page. This elevation of privilege (EoP) exploit is then used by the PuzzleMaker to get into windows 10 using the information disclosure vulnerability(CVE-2021-31955) and the heap buffer overflow vulnerability (CVE-2021-31956).
The Techniques used by the PuzzleMaker include:
T1543 – Create or Modify System Process
T1189 – Drive-by Compromise
T1059 – Command and Scripting Interpreter
T1055 – Process Injection
T1134 – Access Token Manipulation
T1057 – Process Discovery
T1203 – Exploitation for Client Execution
T1215 – Kernel Modules and Extensions
Vulnerability Details
Indicators of Compromise
| Type | Value |
| Files | %SYSTEM%\WmiPrvMon.exe %SYSTEM%\wmimon.dll |
| MDS Hash | 09a5055db44fc1c9e3add608efff038c d6b850c950379d5ee0f254f7164833e8 |
| SHA-1 Hash | bffa4462901b74dbfbffaa3a3db27daa61211412 e63ed3b56a5f9a1ea5c92d3d2444196ea13be94b |
| SHA-256 Hash | 982f7c4700c75b81833d5d59ad29147c392b20c760fe36b200b541a0f841c8a9 8a17279ba26c8fbe6966ea3300fdefb1adae1b3ed68f76a7fc81413bd8c1a5f6 |
| Domain | media-seoengine.com |
Patch Links
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955
https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html
References
https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/
