Well recap the story and see what we can take away from this event, so we can integrate it into our own security strategy. So sit back and enjoy and dont forget to subscribe, if you havent already and smash the bell, if you havent already and like this video of course and share it with anyone, you know that actually can benefit from this information. Oh draft, these computers, theyre so naughty and so complex. I could pinch them a chinese speaking. Hacking group exploited a zero day, vulnerability in the windows. Win32K kernel driver to deploy a previously unknown remote access, trojan or rat the malware known as mystery. Snail was found by kaspersky security researchers on multiple microsoft servers between late august and early september 2021. They also found an elevation of privileged exploit targeting the win32k driver security flaw tracked as save a 20 21 404.9 and patched by microsoft as part of this months, patch tuesday. Besides, finding the zero day in the wild, we analyze, the malware payload used along with the zero day, exploit and found that variants of the malware were detected in widespread espionage campaigns against id companies, military defense contractors and diplomatic entities, kaspersky researchers, bor, slarin and kosten ryu Said code, similarity and reuse of command and control infrastructure, we discovered allowed us to connect these attacks with the actor known as iron husky, a chinese speaking apt group with activity dating back to 2012.. The chinese speaking iron husky act was first spotted by kaspersky in 2017, while investigating a campaign targeting russian and mongolian government entities.
Aviation companies and research institutes with the end goal of collecting intelligence on the russian mongolian military negotiations ill see what the little stinker is up to on my super video detective Music. One year later, kaspersky researchers observed them exploiting cva, 2017 11882 microsoft office memory, corruption, vulnerability to spread rats typically used by chinese speaking groups, including plug x and poison. Ivy. The privileged escalation exploit used to deploy the mystery snail rat deployed in these attacks, targets, windows, client and server versions from windows, 7 and windows, server 2008, all the way through and up to the latest versions, including windows, 11 and windows – 20 server 2022. If they are unpatched against cva 2021 4049, while the zero day exploit spotted by kaspersky in the wild also supports targeting windows, client versions, it was only discovered on windows, server systems. The mystery snail rat is designed to collect and exfiltrate system information from compromised hosts before reaching out to its commander control server for further commands. Mystery snail can perform various tasks on infected machines, ranging from spawning new processes and killing already running ones, to launching interactive shells and launching a proxy server with support for up to 50 simultaneous connections. The malware itself is not very sophisticated and has functionality similar to many other remote shells. The two researchers added, but it still somehow stands out with a relatively large number of implemented, commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy.
The exploitation process for this vulnerability is as follows: first, a user mode call to reset dc executes cisco, nt uh gdi, reset dc and its inner function. Gre reset dc internal. This function gets a pointer to a pdc object and then performs a call to function. Htc opendcw the function, htc opendcw performs a user mode callback and it can be used to execute reset dc for the same handle a second time, so it basically just goes through that process until it can be uh till it can be executed successfully. Now, if an exploit executes reset dc during a callback, nt gdi, reset dc and gre reset dc internal are executed again for the same dc, so again, theyre just trying it until they can get it to work now, if an exploit ignores all the callbacks during the Second call to the gre reset dc internal: this function will be executed as intended, meaning it works, so it doesnt need to be. Doesnt need to be run again now. It will create a new dc and then get rid of the old one that the pdc object is destroyed, so the pdc object would get destroyed now in the callback after the second reset dc call has completed the exploit can reclaim the freed memory of the pdc Object and finish the execution of the callback after execution of the callback function, htc open, dcw returns to gre reset dc internal, but the pointer retrieved in the step 1 is now a dangling pointer.
It points to the memory of the previously destroyed pdc object. Finally, in the late stage of the gre reset dc internal execution, a malformed pdc object can be used to perform a call to an arbitrary kernel function with controlled parameters. Now, like all great plans, my strategy is so simple. An idiot could have devised it checkmate now, as mentioned earlier before, receiving any commands. The malware gathers and sends general information about the victim machine. Now this information includes computer name, current oem code page or default identifier, the windows product name, the local ip address logged in username campaign, name, etc. Now total the rat implements 20 commands. Their descriptions are as follows: for theres a launch interactivecommand.exe shell before launching the command.exe. It is copied to the temp folder, with a different name, spawn newer processes, spawn new processes via console, get existing disk drives and their type now. This function also works within the background. Checking for new drives, create or upload new file. If a file exists, append data to it get directory list kill arbitrary process, delete a file read the file. If the file is too big, async read operation can be stopped, reconnect set sleep time in milliseconds, shut down network and exit exit, kill, interactive shell terminate file. Reading operation, no operation open proxied connection to provide a host now again up to 50 simultaneously connection. Simultaneous connections can be established, send data to the proxy connection, close all proxy connections and close the requested proxy connection.
So we have a new rack. We have um vulnerabilities of the wind 32k. We have chinese espionage happening on countries and governments around the world. So what did we learn again? The amount of attacks we hear about in the news and newfound threats like these underlines. For me, the old tip of the iceberg, adage for every one we know of or learn about, there are probably five or more that have yet to be discovered. What we could specifically take away as learnings from this event is that we should be doing things like scanning the temp folder for new executables being added to the temp folder. We can theoretically check various fingerprints of these files dumped into the into the temp folder. Maybe use file size or creation date, and we can also monitor the launching of applications from the temp folders with alerts to sysadmins. When this occurs. Now, if possible, we can look at ways to lock down the ability to even launch apps located in the temp folder or located outside of known and approved of locations like program files or x86 uh program files, folders etc. Additionally, we can monitor powershell and command logs to look for suspicious activities like kill, commands, um or you know, opening up shells, uh or the creation of or copy commands. These could all be scanned within the powershell or the command line. Log files uh in real time, monitored so that we can catch them as early on as possible, now thats, if theyre already on your system, ways to protect yourself or your systems from even allowing them to gain access includes many of the tips from all of my Previous episodes, like better security of your ssh rdp, and you know, team viewer or whatever remote control application using multi, multi factor, authentication, um patch patch patch stay up to date with your patching uh all these types of things.
Now we can also use our system firewall to lock down outgoing connections. At least you know on servers to only known endpoints, like windows, update servers or other internal systems where theyre required so theres plenty to learn from this. This story theres plenty that we can review in our internal processes, our security processes to see, if were taking, this kind of attack or this kind of exploit into account within our processes and our monitoring.