sb-au logo
Story image

Kaspersky finds zero-day exploits in Windows OS and Internet Explorer used in targeted attack

Cybersecurity firm Kaspersky has found zero-day exploits in Windows OS and Internet Explorer used in a targeted attack.

In late spring 2020, Kasperskys automated detection technologies prevented a targeted attack on a South Korean company. Closer analysis revealed that this attack used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privileges exploit for Windows. The latter was targeting the latest versions of Windows 10.

A zero-day vulnerability is a type of previously unknown software bug. Once discovered, they make it possible to conduct malicious activities discreetly, causing serious and unexpected damage.

While investigating the attack, Kaspersky says its researchers were able to find two zero-day vulnerabilities. The first exploit for Internet Explorer is a Use-After-Free a type of vulnerability that can enable full remote code execution capabilities. This exploit was assigned as CVE-2020-1380.

"However, since Internet Explorer works in an isolated environment, attackers needed more privileges on the infected machine," Kaspersky says.

 That is the reason they needed the second exploit, found in Windows and using a vulnerability in the printer service. It allowed the attackers to execute arbitrary code on the victims machine."

This elevation of privileges (EoP) exploit was assigned as CVE-2020-0986.

 "When in the wild attacks with zero-day vulnerabilities happen, it is always big news for the cybersecurity community. Successful detection of such a vulnerability immediately pressures vendors to issue a patch and forces users to install all necessary updates," says Boris Larin, security expert at Kaspersky. 

"What is particularly interesting in the discovered attack is that the previous exploits we found were mainly about elevation of privileges. 

"However, this case includes an exploit with remote code execution capabilities which is more dangerous. Coupled with the ability to affect the latest Windows 10 builds, the discovered attack is truly a rare thing nowadays," he says.

"It reminds us once again to invest into prominent threat intelligence and proven protective technologies to be able to proactively detect the latest zero-day threats." 

Larin says Kaspersky experts have a low level of confidence that the attack can be attributed to DarkHotel based on weak similarities between the new exploit and previously discovered exploits that are attributed to this threat actor.

A patch for elevation of privilege vulnerability CVE-2020-0986 was released on June 9th, 2020. A patch for remote code execution vulnerability CVE-2020-1380 was released on August 11th, 2020.

Story image
Cybermerc launches AU cyber threat intelligence platform, AUSHIELD
So far Australian National University, Fortinet, Anomali, Elastic, Vault Cloud, and startups SecureStack and Countersight have joined the project.More
Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
Cyber-attackers target COVID-19 vaccine supply chain in sweeping phishing campaign
IBM’s Security X-Force, a task force created in the early days of the pandemic with an aim to combat cyber-attacks related to potential vaccines’ supply chains, released details on a coordinated effort to disrupt the COVID-19 ‘cold chain’.More
Story image
Vectra sets A/NZ channel in sights with new leadership hire
The new international sales VP will be charged with strengthening its MSP programme and growing its channel partner network in the region.More
Story image
CyberArk launches Forescout and Phosphorus integration to aid with IoT security
“Through our integration with Forescout and Phosphorus, CyberArk dramatically improves security and compliance, and alleviates the burden on IT and security teams."More
Story image
Kaspersky ICS CERT joins FIRST global threat intelligence forum
FIRST was founded in 1990, and its members come from 95 countries across Oceania, Asia, Europe, the Americas, and Africa.More