Kaspersky tracks Windows zero days to 'Moses' exploit author

In its second-quarter threat report, Kaspersky Lab found a rise in the use of exploits and zero-day vulnerabilities, several of which were traced to a single threat actor.

New research by Kaspersky Lab shows a rise in APT groups leveraging exploits to gain an initial foothold in a target network, including recent, high-profile zero-day vulnerabilities in Microsoft Exchange Server as well as Windows.

The security vendor released its APT Trends Report Q2 Thursday, which documented an uptick in certain activity during the past few months. Researchers found that advanced persistent threat (APT) groups committed several supply chain attacks in recent months. For example, Kaspersky found that the Chinese-speaking APT group it tracks as "BountyGlad" compromised a digital certificate authority in February. According to the report, the group demonstrated an increase in "strategic sophistication with this supply chain attack." 

However, one of the most significant trends was a shift in tactics. Kaspersky researchers found that while APT groups mainly use social engineering to gain an initial foothold, there was an increase in using zero days and exploits during the second quarter. Several of the zero days, including two Windows vulnerabilities that were patched earlier this year, were traced to an exploit developer Kaspersky has dubbed "Moses."

"Various marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as 'Moses,'" the report said.

Both are Microsoft Windows zero days that received a Common Vulnerability Scoring System score of 7.8 and designated as elevation of privilege vulnerabilities.

Kaspersky identified Moses in its APT Trends Report for Q1. According to the Q1 report, "Moses" appears to make exploits available to several APTs, but so far researchers have confirmed only two groups that have utilized exploits developed by Moses: Bitter APT and DarkHotel.

Kaspersky researchers David Emm and Ariel Jungheit told SearchSecurity that Bitter APT and DarkHotel are two distinct groups, and it is unclear why Moses presumably worked with them. However, one of the groups' targets appears to be known.

"In the case of Bitter APT, our telemetry indicates that the exploits have been used against targets inside Pakistan, though they could have been used against targets inside China also," Emm and Jungheit said in an email to SearchSecurity.

As for how these exploits are getting into the group's hands, it's unclear whether Bitter APT or DarkHotel got them directly or indirectly from Moses. Emm and Jungheit said they think other threat actors have used exploits from the developer as well.

"Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from 'Moses,'" the report said.

The report also cited examples from recent high-profile attacks, including the exploitation of at least two vulnerabilities in Pulse Secure and the surge of attacks by APTs against Microsoft Exchange servers exploiting ProxyLogon and other zero days revealed earlier this year.

In March, Microsoft disclosed that multiple zero-day vulnerabilities were exploited by a Chinese nation-state threat group to attack on-premises versions of Exchange email servers. It wasn't until this month that the U.S. formally named the Chinese threat actor designated Hafnium in the Exchange Server hacks.

Although Kaspersky observed an increase during Q2 in the use of exploits to gain a foothold in a target organization, the use of social engineering is not going anywhere. Emm and Jungheit said APTs will certainly continue to make use of both social engineering and exploits in the future.

"The relative mix of the two will depend on their availability and the potential ROI from using one or the other approach," they said.

Next Steps

Matt Tait warns of 'stolen' zero-day vulnerabilities

'ProxyLogon' Exchange bug resurfaces after presentation

Atlassian Confluence flaw under active attack

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing