Operation PowerFall – Threat Actor Leverages Internet Explorer and Windows 10 Zero-Days


Friday, August 14th, 2020 |

Operation PowerFall – Threat Actor Leverages Internet Explorer and Windows 10 Zero-Days

                In May of 2020, Kaspersky Technologies prevented an attack on a South Korean company that utilized a malicious script for Internet Explorer. Upon closer analysis, it was discovered that the attackers used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution for Internet Explorer and a privilege escalation exploit for Windows. Researchers were then able to analyze the zero-days further and discovered that the new full chain targeted the latest builds of Windows 10 (build 18262 x64) and Internet Explorer 11. The two exploits are known as CVE-2020-0986 and CVE-2020-1380, respectively.

                Researchers at SecureList have begun to analyze the code used behind these exploits and while they find no definitive links in these attacks to any know threat actor, they do believe sufficient evidence exists that points to well-known APT DarkHotel as those responsible for the attacks. Microsoft has since released patches for both CVE-2020-0986 and CVE-2020-1380, released June 9th, 2020 and August 11th, 2020 respectively.

CVE-2020-0986

                According to Microsoft, CVE-2020-0986 is a Windows kernel elevation of privilege vulnerability that exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode and could then install programs; view, change, or delete data; or create new accounts with full user rights. In order to exploit this vulnerability, an attacker must first gain access to the system but could then run a specially crafted application to take control of the affected system. Microsoft’s update addresses this vulnerability by correcting how the Windows kernel handles objects in memory.

CVE-2020-1380

                CVE-2020-1380 is a scripting engine memory corruption vulnerability that allows for remote code execution through Internet Explorer. The vulnerability is capable of corrupting memory in such a way that an attacker could execute arbitrary code with the same rights as the current user and then gain the same rights as the user for further exploit. If performed against a user with administrative rights, an attacker would gain  full control over an affected system. They would then be able to install programs; view, change, or delete data; or even create new accounts with full user rights.

                The attacker could leverage this vulnerability through multiple attack vectors. In a web-based attack, an attacker could host a maliciously crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website through social engineering. It is also possible for an attacker to embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. Finally, an attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements; these websites could contain specially crafted content that could exploit the vulnerability.

                The security update provided by Microsoft addresses the vulnerability by modifying how the scripting engine handles objects in memory.

It is strongly recommended that all users and sys admins patch these two vulnerabilities as soon as possible.


Sources:


Indicators of Compromise:

  • FileHash-MD5
    • 5877eaeca1fe8a3a15d6c8c5d7fa240b
    • b72731b699922608ff3844ccc8fc36b4
    • b06f1f2d3c016d13307bc7ce47c90594
    • e01254d7af1d044e555032e1f78ff38f
  • URL
    • http://www.static-cdn1.com/update.zip
  • FileHash-SHA256
    • 7765f836d2d049127a25376165b1ac43cd109d8b9d8c5396b8da91adc61eccb1
    • d02632cffc18194107cc5bf76aeca7e87e9082fed64a535722ad4502a4d51199        
    • 81d07cae45caf27cbb9a1717b08b3ab358b647397f08a6f9c7652d00dbf2ae24       

Share this: