New ‘MysterySnail’ exploit used to hijack Windows Server deployments

Microsoft has now patched the vulnerability in the October Patch Tuesday

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityexperts have helped quash a mysterious new remote access trojan (RAT) that exploited a zero-day in an essential Windows driver to launch a privilege escalation exploit.

Discovered and reported byKaspersky,Microsofthas patched the zero-day that was exploited by the trojan in the October 2021 edition of Patch Tuesday.

“The exploit had numerous debug strings from an older, publicly known exploit for vulnerabilityCVE-2016-3309, but closer analysis revealed that it was a zero-day. We discovered that it was using a previously unknown vulnerability in the Win32k driver…,”observedthe researchers.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

Named MysterySnail by Kaspersky, the trojan’s code and use of the command and control (C2) infrastructure leads the researchers to associate the attack with the Chinese threat actor known as IronHusky.

Zero-day exploit

Analysis of the exploit revealed that it was written to attack not just the latestWindows 10and Windows Server 2019 releases, but also older, even supported ones going as far back as Windows Vista.

Further analyses of its malicious payload revealed similarities with several variants that were previously used in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities.

Security expertsTechRadar Prospoke to agreed that while zero-day attacks have unfortunately become a fact of life for enterprise security, businesses can minimize their damage with active monitoring.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“With OS and application vulnerabilities arising almost daily, it’s clear that attackers are hard at work in discovering new exploits. Monitoring for unusual activity is one of the only ways of making sure that such breaches are caught and addressed quickly,” says Saryu Nayyar, CEO of security vendor Gurucul.

Furthermore, access review experts YouAttest believe thorough and regular reviews of identities will also help de-fang privilege escalation exploits.

“Enterprises must practiceidentity securityand have alerts on privilege escalation and conduct regular reviews of identities to ensure the principle of least privilege is practiced across the enterprise - to insure once a credential is compromised, the proper alerts occur and the damage in minimized," believes Garret Grajek, CEO, YouAttest.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

iStorage Group acquires Kanguru Solutions as it looks to expand security offering

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well