[TheRecord] Exploit kit adds rare Chrome browser attack chain

The operators of the Magnitude exploit kit have added support for an attack chain targeting the Chrome web browser, a rare sighting since the very few exploit kits that are still active today have only targeted Internet Explorer over the past few years.

Exploit kits (EKs) are web applications installed on websites that work by detecting the user’s browser and launching a web-based exploit to infect the visitor’s computer with a payload (malware).

Exploit kits have been used by malware gangs since the late 2000s and were a crucial part of the malware ecosystem in the first half of the 2010s.

Together with email spam, exploit kits were the two most common ways that malware groups targeted and infected users for more than a decade, being used in both cybercrime operations but also by nation-state cyber-espionage efforts.

Their usage began to decline in the late 2010s because of several law enforcement crackdowns against some EK operators and as browser vendors started adding security features to prevent easy exploitation by EK operators.

All in all, EKs have barely had any significant impact on the cybersecurity landscape since 2017, but that hasn’t stopped some threat actors from developing new ones.

Over the past four years, several exploits kits like Spelevo, Fallout, RIG, Underminer, RouterEK, and Magnitude have been released, and most of these have been fringe players on the threat landscape.

During that time, EK operators also lost their best programmers who left to work with other cybercrime operators. For the past few years, instead of researching and deploying their own custom zero-day exploits, most EKs have limited themselves to integrating publicly disclosed vulnerabilities into their exploit arsenals.

Throughout recent years, EK operators only focused on attacking Internet Explorer users, as attacks against more modern browsers usually involved two or three-step exploit chains, which operators could rarely develop on their own or get their hands on.

Right now, Magnitude is one of the most active EKs on the market, regularly seeing updates (in the form of rather new IE exploits) added to its arsenal (see 20202021 reports).

Magnitude adds PuzzleMaker’s exploit chain

But today, security firm Avast said it found a new exploit chain in the Magnitude codebase that allows it to target Chrome users, something that hasn’t been seen in ages for an EK and considered a holy grail for EK operators since this allows them to target most of today’s web users.

#MagnitudeEK is now stepping up its game by using CVE-2021-21224 and CVE-2021-31956 to exploit Chromium-based browsers. This is an interesting development since most exploit kits are currently targeting exclusively Internet Explorer, with Chromium staying out of their reach.

— Avast Threat Labs (@AvastThreatLabs) October 19, 2021

According to Avast, the exploit chain utilizes a Chrome vulnerability patched in April (CVE-2021-21224) to escape the browser’s security sandbox and a Windows elevation of privilege patched in June (CVE-2021-31956) to attack the underlying operating system.

While proof-of-concept code has been available for the Chrome exploit since April, code for the Windows bug was never publicly released.

But Avast also points out that this exact same combination of a Chrome and Windows exploit chain was also seen before, earlier this year, in a cyber-espionage campaign discovered by Kaspersky.

Called PuzzleMaker, Kaspersky said the exploit chain didn’t have any connections to any previously known threat actor, was hidden inside a legitimate-looking geopolitical news portal, and described the entire operation as “a wave of highly targeted attacks against multiple companies.”

Although Avast’s discovery is important because of a rare sighting of an exploit kit going after Chrome and Chromium-related browsers, other questions still remain, such as how did a quasi-dead EK group get its hands on such a high-grade exploit chain and how effective is the exploit chain to begin with.

But there’s also good news, in the sense that the Windows exploit is not universal and will only work against a small number of Windows 10 versions.

“The attacks we have seen so far are targeting only Windows builds 18362, 18363, 19041, and 19042 (19H1–20H2). Build 19043 (21H1) is not targeted,” Avast researchers said.

The post Exploit kit adds rare Chrome browser attack chain appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2020-10-14

German authorities raid FinFisher offices www.zdnet.com/article/german-authorities-raid-finfisher-offices/ German authorities have raided the offices of FinFisher, a German software company that makes surveillance tools, accused in the past of providing software to oppressive regimes. FinFisher markets its tools as meant for law enforcement investigations and intelligence agencies. Known customers include the German federal police and Berlin police […]

Read More

[HackerNews] GitHub Updates Policy to Remove Exploit Code When Used in Active Attacks

All posts, HackerNews

Code-hosting platform GitHub Friday officially announced a series of updates to the site’s policies that delve into how the company deals with malware and exploit code uploaded to its service. “We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits,” the Microsoft-owned company said. “We understand that many security Source: Read More […]

Read More

[SecurityWeek] Saudi Activist Sues 3 Former U.S. Officials Over Hacking

All posts, Security Week

Loujain al-Hathloul, a prominent Saudi political activist who pushed to end a ban on women driving in her country, is suing three former U.S. intelligence and military officials she says helped hack her cellphone so a foreign government could spy on her before she was imprisoned and tortured. read more Source: Read More (SecurityWeek RSS […]

Read More