The handlers of the Magnitude exploit kit (EK) have added two new exploits in their arsenal, capable of targeting chromium-based browsers operating on Windows systems. It is a very rare sight since the very few exploit kits that are still active have mainly focused on Microsoft’s Internet Explorer over the past few years.
Security experts with Avast uncovered a new chain of exploits for attacks on users of the Chrome browser. The two new exploits CVE-2021-21224 and CVE-2021-31956 affect the Google Chrome browser and Microsoft Windows platform, respectively.
The first exploit in the chain CVE-2021-21224, which Google patched in April 2021, is a type confusion vulnerability in the V8 rendering engine that allows remote attackers to execute arbitrary code inside a sandbox via a crafted HTML page.
The second exploit CVE-2021-31956 is a privilege escalation vulnerability in Windows that leads attackers to bypass Chrome’s sandbox and secure system privileges. The vulnerability was addressed in June 2021. The two flaws were previously chained in malicious activity that Kaspersky named PuzzleMaker, but it couldn’t be linked to any known adversary.
“The attacks we have seen so far are targeting only Windows builds 18362, 18363, 19041, and 19042 (19H1–20H2). Build 19043 (21H1) is not targeted. The exploit for CVE-2021-31956 contains hardcoded syscall numbers relevant just for these builds. For the time being, the activity doesn’t appear to involve the use of a malicious payload, although it does lead to the victim’s Windows build number being exfiltrated,” Avast said.
“Since Magnitude typically tests newly implemented exploits in this manner, it’s likely that malicious attacks will follow soon, likely deploying the Magniber ransomware,” Avast added. First discovered in 2017, Magniber was attributed right from the start with Magnitude, and was believed to be developed by the EK’s handlers.
While the discovery of Avast is important because of a rare sighting of an exploit kit going after Chrome and Chromium-related browsers, other questions still remain, such as how the “half-dead” EK group got its hands on such a high-grade exploit chain and how effective is the exploit chain, to begin with. Fortunately, the Windows exploit is not universal and will only work against a small number of Windows 10 versions.