During May this year, Kaspersky’s automated detection technologies prevented a targeted attack on a South Korean company.
Further analysis revealed that this attempt employed a previously unknown full chain, or series of steps used in a cyber attack, that was made up of two zero-day exploits – a remote code execution exploit for Internet Explorer (IE) 11 and an elevation of privileges (EoP) exploit for Windows. The latter was targeting the latest versions of Windows 10.
Zero-day vulnerabilities are previously unknown software bugs that once discovered, make it possible to conduct malicious activities discreetly, causing serious and unexpected damage.
During the investigation, Kaspersky researchers were able to find two zero-day vulnerabilities. The first, an exploit for IE, is a Use-After-Free, or type of vulnerability that has the ability to enable full remote code execution capabilities. This exploit was assigned as CVE-2020-1380.
However, because IE operates in an isolated environment, threat actors needed more privileges on the infected computer, which is why they required an additional exploit, found in Windows, that used a vulnerability in the printer service. It enabled the malefactors to execute arbitrary code on the victim’s machine. This EoP exploit was assigned as CVE-2020-0986.
Boris Larin, a security expert at Kaspersky, says when ‘in the wild attacks’ with zero-day vulnerabilities happen, they garner major interest within the cyber security community.
Successful detection of such a vulnerability immediately pressures vendors to issue a patch and forces users to install all necessary updates. What is particularly interesting about the discovered attack, is that the previous exploits Kaspersky found were mainly about elevation of privileges.
However, Larin says this case included an exploit with remote code execution capabilities which is more dangerous. Along with its ability to affect the latest Windows 10 builds, the discovered attack is unusual, says Kaspersky.
“It reminds us once again to invest into prominent threat intelligence and proven protective technologies to be able to proactively detect the latest zero-day threats,” he adds.
Researchers from Kaspersky are somewhat confident that the attack can be attributed to DarkHotel, a targeted spear-phishing spyware and malware-spreading campaign, based on weak similarities between the new exploit and previously discovered exploits that are attributed to this bad actor.
A patch for elevation of privilege vulnerability CVE-2020-0986 was released on 9 June, and one for remote code execution vulnerability CVE-2020-1380 was released on 11 August.
To protect from the threat, Kaspersky advises users to install both patches as soon as possible, and businesses to provide their SOC teams with access to the latest threat intelligence.
Share