Targeted attacks: Kaspersky detects zero-day exploits in the Windows operating system and Internet Explorer. APT actor DarkHotel could be behind the exploits.
In late spring 2020, Kaspersky's automated detection technology prevented a targeted attack on a South Korean company. When investigating the attack more closely, Kaspersky researchers found two previously unknown vulnerabilities: an exploit to execute third-party code in Internet Explorer 11 and an Elevation of Priviliges (EoP) exploit to obtain higher access rights in current versions of Windows 10. Patches for the both exploits have already been published.
Zero-day vulnerabilities are previously unknown software bugs. Until they are discovered, attackers can use them unnoticed for harmful activities and cause serious damage.
Exploit in the Windows operating system
Kaspersky experts discovered two zero-day vulnerabilities while investigating a targeted attack in Korea. The first exploit for Internet Explorer of the “Use-After-Free” type is capable of executing foreign code remotely and was given the designation CVE-2020-1380. Since Internet Explorer works in an isolated environment, the attackers required additional rights on the infected devices. They obtained this through a second exploit in the Windows operating system. The exploit exploited a vulnerability in the printer service and allowed arbitrary code to be executed. The exploit in the operating system is called CVE-2020-0986.
"Real attacks with zero-day vulnerabilities 'in the wild' always generate great interest in the cybersecurity scene," explains Boris Larin, security expert at Kaspersky. “If such vulnerabilities are discovered successfully, this puts pressure on providers to immediately release patches and forces users to install all necessary updates. What is particularly interesting about the detected attack is that the previous exploits were mainly about obtaining higher privileges. However, this case involves an exploit with remote code execution capabilities, which makes it more dangerous. Coupled with the ability to affect the latest Windows 10 builds, the attack discovered is really a rare thing these days. It should remind us to invest in outstanding threat intelligence and proven protection technologies to actively identify the latest zero-day threats. "
Is the DarkHotel group behind the zero-day exploits?
The Kaspersky experts suspect that the DarkHotel group could possibly be behind the attack, as there are certain similarities between the new exploit and previous attacks carried out by DarkHotel. The Kaspersky Threat Intelligence Portal provides detailed information on the IoC (Indicators of Compromise) for this group, including file hashes and C&C servers. The Kaspersky solutions recognize the exploits as PDM: Exploit.Win32.Generic.
The patch for the rights-related vulnerability CVE-2020-0986 was released on June 9, 2020, and one for the execution of foreign code (CVE-2020-1380) was released on August 11, 2020.
Kaspersky Security Recommendations
- The Microsoft patches should be installed as soon as possible, since attackers can no longer exploit these vulnerabilities discovered afterwards.
- SOC teams should have access to the latest threat intelligence. The Kaspersky Threat Intelligence Portal can serve as a central point of contact. It provides extensive data on cyber attacks and intelligence that Kaspersky has accumulated over the course of more than 20 years.
- EDR solutions such as Kaspersky Endpoint Detection and Response help identify, investigate and quickly resolve incidents on endpoints.
- In addition, companies should use security solutions that detect complex threats at an early stage at the network level, such as Kaspersky Anti Targeted Attack Platform.
More information on these newly discovered exploits is available as an English report.
More on this at SecureList at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/