-
MDRAddress the growing frequency, type, and severity of cyber threats against SMB endpoints
-
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
-
Risk Assessment & Vulnerability ManagementIdentify unknown cyber risks and routinely scan for vulnerabilities
-
Identity ManagementSecure and streamline client access to devices and applications with strong authentication and SSO
-
Cloud App SecurityMonitor and manage SaaS security risks for the entire Microsoft 365 environment.
-
SASEZero trust secure access for users, locations, and devices
-
Enterprise-grade SOCProvide 24/7 threat monitoring and response backed by proprietary threat research and intelligence and certified cyber experts
-
Policy ManagementCreate, deploy, and manage client security policies and profiles
-
Incident Response ServiceOn-tap cyber experts to address critical security incidents
-
Cybersecurity GlossaryGuide to the most common, important terms in the industry
CVE-2021-41379 - Windows Installer Elevation of Privilege Vulnerability
Microsoft released a patch for CVE-2021-41379 during their November 9, 2021, Patch Tuesday updates. The patch was supposed to correct a flaw in the Windows Installer that would allow a malicious user with local access to delete any file using elevated SYSTEM privileges. On November 22, the original researcher, Abdelhamid Naceri, who reported the vulnerability, released a proof-of-concept (PoC) on github (https://github.com/klinix5/InstallerFileTakeOver) that demonstrates how Microsoft's patch was insufficient for fully correcting the issue and that it can still be used on patched systems. Additionally, Microsoft claims, "An attacker would only be able to delete targeted files on a system. They would not gain privileges to view or modify file contents;" however, additional research by Naceri and Cisco Talos (https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html) suggests that this vulnerability could be used to get full SYSTEM-level privileges on a system. The updated PoC demonstrates how a malicious user could leverage the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on a system with an MSI that would allow the attacker to execute code with elevated privileges.
Since the publication of the PoC, several malware samples have been observed attempting to exploit CVE-2021-41379. The CRU pushed out an event notification last week that specifically looks for the "test pkg" MSI installer used in the PoC while we continued to investigate new information regarding this exploit. The Event Notifications "[CRU][Windows] LPE InstallerFileTakeOver PoC CVE-2021-41379" will trigger specifically if anyone attempts to run the PoC published by Naceri. Since then, the CRU has done additional research and published three more Event Notifications to the CRU Collection in the Perch app that should trigger when someone attempts to exploit this vulnerability.
The three new Event Notifications published this week are:
[CRU][Windows] Windows Installer EoP 0day elevation_service.exe File Creation
[CRU][Windows] Windows Installer EoP 0day Post-CommandLine Process
[CRU][Windows] Windows Installer EoP 0day Process Creation
Kimsuky Group – HVNC Backdoor
Kimsuky Group(https://attack.mitre.org/groups/G0094/) is a North Korean APT focused on cyber espionage that's been around since 2012. While they initially focused on South Korean targets, they have since expanded to the United States, Russia, Europe, and the UN. Recent intelligence shows us that Kimsuky has begun using AppleSeed (https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed), backdoor remote control malware that Kimsuky has been using since this summer, to install a VNC client. VNC is a common light-weight graphical remote admin protocol similar to RDP. Earlier this week, the CRU pushed out several new IDS signatures that should detect the specific Kimsuky VNC client:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] HVNC Backdoor Connection Check (AVE_MARIA)"; flow:established, to_server; stream_size: client, =, 11; stream_size: server, =, 1; dsize: 10; content:"AVE_MARIA"; depth: 9; reference: url, app.any.run/tasks/48ad8f56-2255-47bf-a988-e0602c11f4b0; classtype:trojan-activity; sid:900511; rev:1; metadata: created_at 2021_11_29, updated_at 2021_11_29;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] Kimsuky HVNC Backdoor Connection Check (LIGHT'S)"; flow:established, to_server; stream_size: client, =, 11; stream_size: server, =, 1; dsize: 8; content: "LIGHT'S"; depth: 7; classtype:trojan-activity; sid:900512; rev:1; metadata: created_at 2021_11_29, updated_at 2021_11_29;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] Kimsuky HVNC Backdoor Connection Check (LIGHT'S)"; flow:established, to_server; content:"LIGHT'S"; depth:7; classtype:trojan-activity; sid:900513; rev:1; metadata: created_at 2021_11_29, updated_at 2021_11_29;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[ConnectWise CRU] Kimsuky HVNC Backdoor Connection Check (LIGHT'S BOMB)"; flow:established, to_server; stream_size: client, =, 11; stream_size: server, =, 1; dsize: 13; content: "LIGHT'S BOMB"; depth: 12; classtype:trojan-activity; sid:900514; rev:1; metadata: created_at 2021_11_29, updated_at 2021_11_29;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[ConnectWise CRU] Kimsuky HVNC Backdoor Connection Check (LIGHT'S BOMB)"; flow:established, to_server; content:"LIGHT'S BOMB"; depth:12; classtype:trojan-activity; sid:900515; rev:1; metadata: created_at 2021_11_29, updated_at 2021_11_29;)
If you are a Perch IDS customer, all these signatures have already been pushed out to your sensors. If you are a Perch IDS customer, the Event Notifications for CVE-2021-41379 are part of the CRU collection in the Perch Marketplace (https://perch.help/marketplace/marketplace/).
References
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41379
https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html