AL2021_50 Hackers Exploiting New Windows Installer Zero-Day Exploit in the Wild (26th November 2021)

Threat actors are attempting to use a new variation of a recently reported privilege escalation vulnerability to possibly execute arbitrary code on fully patched computers, highlighting how adversaries may weaponize a publicly accessible exploit swiftly.

Summary

Cisco Talos reported they have observed malware samples in the wild that are attempting to exploit this issue. However, the escalation of privilege problem affecting the windows installer software component was first fixed as part of Microsoft Patch Tuesday updates for November 2021 and was tracked as CVE- 2021-41379 by security researcher Abdelhamid Naceri.

Nevertheless, in a case of inadequate patching, Naceri observed that it was feasible to not only dodge Microsoft's remedy but also to gain local privilege escalation via a newly uncovered zero-day bug.

How it works

The "InstallerFileTakeOver" proof-of-concept hack replaces any executable file on the system with an MSI installer file, allowing an attacker to run code with SYSTEM rights.

An attacker with admin credentials might then use it to obtain complete control of the compromised system, including the ability to download additional software and edit, destroy, or exfiltrate sensitive data stored on the machine.

"Local priv ESC, confirm that this works. Windows 10 20H2 and Windows 11 were also used to test the software. MS's last patch didn't completely resolve the problem "Kevin Beaumont, a security expert tweeted the results on Twitter.

The latest iteration of CVE-2021-41379 is "more potent than the original one," according to Naceri, and the recommended course of action is to wait for Microsoft to produce a security patch for the issue "due to the intricacy of this vulnerability."

Remediation

At this moment there is no fixed patch to remedy this new malware. However, Windows users should implement the following security measures below.

  • Ensure windows are updated to the latest version.

  • Install an antivirus on your workstation

  • Install a firewall on your network and have it configured to suit the network operations.

    The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
    PDF Download: Hackers Exploiting New Windows Installer Zero-Day Exploit in the Wild.pdf

    References