0-Day vulnerabilities in Google’s Chrome browser and Microsoft Windows were used in attacks attempting to infect with malware Windows users who visited a Korean-language news portal. The vulnerability in Chrome, tracked as CVE-2019-13720 (the flaw was addressed in Chrome 78.0.3904.87), was discovered last month by Kaspersky researchers who said it was actively exploited in attacks called Operation WizardOpium.
“We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks”, the researchers noted.
In a new blog post published yesterday the Kaspersky team revealed an existence of yet another zero-day vulnerability (this time affecting Microsoft’s operating system) that was used in conjunction with CVE-2019-13720 to gain elevated privileges on Windows machines and escape the Chrome sandbox to install the malware payload.
“During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as ‘Volodya’”.
“The EoP exploit consists of two stages: a tiny PE loader and the actual exploit. After achieving a read/write primitive in the renderer process of the browser through vulnerable JS code, the PE exploit corrupts some pointers in memory to redirect code execution to the PE loader. This is done to bypass sandbox restrictions because the PE exploit cannot simply start a new process using native WinAPI functions”, the researchers explained.
The Windows zero-day was assigned the identifier CVE-2019-1458. According to Microsoft’s description, “an elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights”.
The successful exploitation requires an attacker to be logged in the system. From there the attacker can exploit the vulnerability and take control of an affected system using specially crafted application. CVE-2019-1458 was addressed in December 2019 Patch Tuesday security updates that, in total, fix 36 vulnerabilities in Microsoft Windows, Internet Explorer (IE), Hyper-V Server, Microsoft Defender, GitHub Library, Office and Office Services and Web Apps, and SQL Server.