Two zero-day vulnerabilities in Windows and IE were chained to target a South Korea firm in May

Kaspersky researchers disclosed on Wednesday that an exploit used to target a South Korean firm in May had chained two zero-day vulnerabilities in Windows and Internet Explorer.

Dubbed "Operation PowerFall" by Kaspersky, the attack relied on a bug in Windows GDI Print/Print Spooler API, now tracked as CVE-2020-0986, and a remote code execution (RCE) vulnerability (CVE-2020-1380) in Internet Explorer 11.

The bugs have now been patched by Microsoft, but they were zero-day vulnerabilities when exploitation was first observed.

According to Microsoft, CVE-2020-1380 exists in the IE scripting engine and could allow attackers to compromise a system when a user browses to a malicious website with IE, or opens booby-trapped Office files sent by hackers. The flaw exists in the way that the scripting engine handles objects in memory in IE.

"The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user," Microsoft said in its advisory.

"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user."

The bug was discovered by Boris Larin of Kaspersky, who reported it to Microsoft in June.

According to Larin, hackers behind Operation PowerFall chained CVE-2020-1380 with privilege escalation vulnerability CVE-2020-0986 which affects all supported versions of Windows.

A patch for CVE-2020-0986 was released in June, although its details were first revealed in May after Trend Micro's Zero Day Initiative (ZDI) published an online post giving details of CVE-2020-0986 and four other unpatched bugs affecting Windows.

ZDI said it had reported CVE-2020-0986 to Microsoft in December 2019 but the tech giant failed to release a patch for it before the end of six-month deadline.

According to Kaspersky, threat actors exploited the vulnerability in attacks one day after ZDI's disclosure. In the attack, hackers used two zero-days to deliver a piece of malware, although the final payload was blocked by Kaspersky products from being downloaded on the targeted system.

"Unlike a previous full chain that we discovered, used in Operation WizardOpium, the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64," Boris Larin said in an online post.

According to Larin, "Operation PowerFall" was most likely launched by DarkHotel group, although he clarified that the analysis did not reveal a definitive link, and that the assumption is based on exploit similarities with previously discovered exploits.

DarkHotel group is believed to be active since at least 2007 and is mostly interested in collecting information such as emails, documents, and other bits of sensitive data from targets. In 2014, Kaspersky researchers spotted the group compromising hotel Wi-Fi networks in efforts to carry out attacks against specific hotel guests.

In April, Chinese cyber security firm Qihoo 360 said that it had detected a cyber espionage campaign that was likely being carried out by DarkHotel and attempted to target Chinese institutions in mainland China as well as in other countries.

Kaspersky researchers also said in March that DarkHotel used five zero-day vulnerabilities in 2019 to target North Korean and Chinese targets.

• Tweet  
• Facebook  
• LinkedIn  
• Send to  

• Topics
• Threats and Risks
• CVE-2020-0986
• Kaspersky
• CVE-2020-1380
• Internet Explorer
• Microsoft
• Boris Larin
• Operation WizardOpium
• Operation PowerFall