According to researchers, a South Korean organization suffered a very strong cyber attack. The details of this attack campaign were shared as below.
What Happened?
This attack campaign involved exploitation zero-day vulnerabilities in Windows and Internet Explorer and was dubbed as Operation PowerFall.
- The latest builds of Windows 10 OS (build 18363 x64) and Internet Explorer 11 were targeted by these full chain exploits.
- Two zero-day exploits were part of this attack: An elevation of privilege exploit (CVE-2020-0986) for Windows and a remote code execution exploit for Internet Explorer (CVE-2020-1380).
- Researchers concluded that these attacks were probably carried out by the DarkHotel group, due to the similarities with previously disclosed vulnerabilities.
Vulnerabilities in the IE
- The most recent set of zero-day exploits (CVE-2020-0674, CVE-2019-1429, CVE-2019-0676, and CVE-2018-8653) similarly to the new one, relied on the vulnerabilities in the legacy JavaScript engine.
- The new exploit was found targeting the latest version (jscript9.dll) while the previous set of vulnerabilities exploited a slightly older version of the IE Javascript engine.
Past Attacks on the Internet Explorer
In the initial months of the year, several attacks leveraging vulnerabilities in IE were observed.
- Two new exploits were added by the Purple Fox Exploit Kit (CVE-2020-0674 and CVE-2019-1458) targeting critical- and high-severity Microsoft IE vulnerabilities in the month of July this year.
- To target North Korea-focused professionals, in the month of March, an unnamed group of hackers was using five zero-day vulnerability including CVE-2020-0674 in IE.
Microsoft has since then patched both the vulnerabilities. Because of threats like these, it becomes all the more important for organizations to practice countermeasures such as reducing the exposed attack surface, leveraging behavior-based threat analysis, and implementing a rigorous patch management process.
To read more, please check eScan Blog