11 December 2019

Windows, Chrome 0-Days paired up in Operation WizardOpium campaign


Windows, Chrome 0-Days paired up in Operation WizardOpium campaign

0-Day vulnerabilities in Google’s Chrome browser and Microsoft Windows were used in attacks attempting to infect with malware Windows users who visited a Korean-language news portal. The vulnerability in Chrome, tracked as CVE-2019-13720 (the flaw was addressed in Chrome 78.0.3904.87), was discovered last month by Kaspersky researchers who said it was actively exploited in attacks called Operation WizardOpium.

The researchers said that the attackers injected a malicious JavaScript code into the main page of a Korean-language news portal. The JavaScript tag downloaded malicious scripts from a remote server and executed them in a victim’s browser. These scripts would exploit a zero-day flaw in Google Chrome that allowed the attackers to download and install the malware on victims' machines. While Kaspersky hasn’t been able to attribute Operation WizardOpium to any particular threat group they said that they have found “very weak code similarities” with Lazarus attacks.

“We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks”, the researchers noted.

In a new blog post published yesterday the Kaspersky team revealed an existence of yet another zero-day vulnerability (this time affecting Microsoft’s operating system) that was used in conjunction with CVE-2019-13720 to gain elevated privileges on Windows machines and escape the Chrome sandbox to install the malware payload.

“During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as ‘Volodya’”.

“The EoP exploit consists of two stages: a tiny PE loader and the actual exploit. After achieving a read/write primitive in the renderer process of the browser through vulnerable JS code, the PE exploit corrupts some pointers in memory to redirect code execution to the PE loader. This is done to bypass sandbox restrictions because the PE exploit cannot simply start a new process using native WinAPI functions”, the researchers explained.

The Windows zero-day was assigned the identifier CVE-2019-1458. According to Microsoft’s description, “an elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights”. 

The successful exploitation requires an attacker to be logged in the system. From there the attacker can exploit the vulnerability and take control of an affected system using specially crafted application. CVE-2019-1458 was addressed in December 2019 Patch Tuesday security updates that, in total, fix 36 vulnerabilities in Microsoft Windows, Internet Explorer (IE), Hyper-V Server, Microsoft Defender, GitHub Library, Office and Office Services and Web Apps, and SQL Server.

 

Back to the list

Latest Posts

Windows encryption can be (ab)used by ransomware

Windows encryption can be (ab)used by ransomware

Ironically, concept ransomware takes advantage of a function in Windows designed to protect confidential data from an unauthorized access.
22 January 2020
New JhoneRat malware targets Middle Eastern countries using multiple cloud services

New JhoneRat malware targets Middle Eastern countries using multiple cloud services

The RAT implements anti-VM and anti-analysis tricks to conceal the malicious activities.
22 January 2020
A massive list of Telnet credentials for over half a million servers and smart devices published online

A massive list of Telnet credentials for over half a million servers and smart devices published online

This marks the biggest leak of Telnet passwords up to now.
20 January 2020