New ‘MysterySnail’ exploit used to hijack Windows Server deployments


Cyber ​​security Experts have helped reverse a mysterious new Remote Access Trojan (RAT) that exploited a zero day in an essential Windows driver to initiate a privilege escalation exploit.

Discovered and reported by Kaspersky, Microsoft fixed the zero-day exploited by the Trojan in the October 2021 edition of Patch Tuesday.

“The exploit had many debug strings from an older and publicly known exploit for the vulnerability CVE-2016-3309, but further analysis revealed that it was a zero day. We discovered that it uses a previously unknown vulnerability in the Win32k driver… ”, observed Researchers.

TechRadar needs you!

We take a look at how our readers are using VPNs with streaming sites like Netflix so that we can improve our content and offer better advice. This survey will take no more than 60 seconds of your time, and we would greatly appreciate your sharing your experiences with us.

>> Click here to launch the survey in a new window

Named MysterySnail by Kaspersky, the Trojan horse code and the use of command and control (C2) infrastructure lead researchers to associate the attack with the Chinese threat actor known as IronHusky.

Zero day feat

Analysis of the exploit revealed that it was written to attack not only the latest Windows 10 and Windows Server 2019, but also older, even supported versions dating back to Windows Vista.

Further analyzes of its malicious payload revealed similarities to several variants that were previously used in widespread spy campaigns against IT companies, military / defense contractors, and diplomatic entities.

Security experts TechRadar Pro Interviewees agreed that while zero-day attacks have unfortunately become a reality for business security, businesses can minimize their damage through active monitoring.

“With operating system and application vulnerabilities emerging almost daily, it’s clear that attackers are hard at work discovering new exploits. Monitoring unusual activity is one of the only ways to ensure that such breaches are detected and dealt with promptly, ”says Saryu Nayyar, CEO of security provider Gurucul.

Additionally, YouAttest access review experts believe that thorough and regular identity reviews will also help eliminate privilege escalation exploits.

“Companies must practice identity security and have privilege escalation alerts and perform regular identity reviews to ensure that the principle of least privilege is applied across the enterprise – to ensure that once an identifier is compromised, appropriate alerts occur and damage is minimized, ”says Garret Grajek, CEO, You Attest.

Leave A Reply

Your email address will not be published.