Security researchers were investigating a BITTER Apt zero-day exploit in February when they discovered a similar vulnerability in 64-bit Windows.

In late February, a Windows vulnerability (CVE-2021-1732) was disclosed, where the advanced persistent threat (APT) group BITTER had exploited the win32k callback feature to escape the sandbox of Microsoft’s Internet Explorer browser and Adobe Reader in 64-bit Windows 10 versions up to 20H2.

Attackers had exploited the zero-day vulnerability in China, where the disclosure was first made public. While investigating the exploit, researchers managed to discover another zero-day exploit (CVE-2021-28310) in the same month.

According to Kaspersky, the team the found the exploit, the vulnerability involves an escalation of privilege, found in Desktop Window Manager (dwm.exe), allowing the attackers to execute arbitrary code on a victim’s machine. The module is what allows Windows to add effects such as transparency and live taskbar thumbnails within Windows. 

It is likely that the later and very similar exploit was used together with other browser exploits to escape sandboxes or obtain system privileges for further access. A patch for the elevation of privilege vulnerability CVE-2021-28310 was released on April 13th, 2021. At the moment, experts are currently unable to link this exploit to any known threat actor.

Kaspersky’s initial investigation has not revealed the full infection chain, so it is yet not known whether the exploit is used with another zero-day or coupled with known, patched vulnerabilities. (Note: zero-day exploits are hitherto unknown software bugs that are quickly leveraged for malicious activities in the shadows, resulting in unexpected and destructive consequences before the community has had a chance to release CVE disclosures and resultant software patches).

According to one of the firm’s security experts, Boris Larin, his teams have built a multitude of exploit protection technologies and will continue to improve defenses for users. He further advises readers to patch affected systems as soon as possible, and follow all best practices involving endpoint protection and threat intelligence.