Over the last few months, Kaspersky’s automated detection technologies prevented a series of attacks using an elevation of privilege exploit on multiple Microsoft Windows servers. Upon closer analysis into the attack, Kaspersky researchers discovered a new zero-day exploit.

Throughout the first half of the year, Kaspersky experts observed an increase in attacks exploiting zero-days. A zero-day vulnerability is an unknown software bug discovered by attackers before the vendor has become aware of it. Since the vendors are unaware, no patch exists for zero-day vulnerabilities, making attacks likely to succeed unexpectedly.

Kaspersky technologies detected a series of attacks using an elevation of privilege exploit on multiple Microsoft Windows servers. This exploit had many debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that Kaspersky researchers had discovered a new zero-day. Kaspersky researchers have dubbed this cluster of activity MysterySnail.

The discovered code similarity to, and re-use of, Command and Control (C&C) infrastructure led the researchers to connect these attacks with the infamous IronHusky group and Chinese-speaking APT activity dating back to 2012.

Analysing the malware payload used with the zero-day exploit, Kaspersky researchers found variants of this malware were used in widespread espionage campaigns against IT companies, military and defense contractors, and diplomatic entities.

The vulnerability was reported to Microsoft and patched on 12 October 2021, as a part of the October Patch Tuesday.

Kaspersky products detect and protect against the exploit for the above vulnerability and associated malware modules.

“For the past few years, we have observed the set trend on the attackers’ consistent interest in finding and exploiting new zero-days,” comments Boris Larin, security expert at Kaspersky Global Research and Analysis Team (GReAT). “Previously unknown to vendors vulnerabilities, they can pose a serious threat to organisations. However, most of them share similar behaviors. That’s why it is important to rely on the latest threat intelligence and install security solutions that proactively find unknown threats.”