Hackers combine two unpatched Microsoft zero-days in attack on South Korean firm

The Windows 10 and Internet Explorer 11 flaws were exploited by those behind the DarkHotel spearphishing campaign

Hackers combined two zero-day vulnerabilities in Windows 10 and Internet Explorer to target a South Korean company in a never-before-seen chained attack earlier in the year.

Cyber criminals exploited a remote code execution (RCE) flaw in Internet Explorer 11 together with an elevation of privilege exploitation for an up-to-date version of Windows 10 in May, according to researchers with Kaspersky.

Branded Operation PowerFall, the two flaws comprising the attack were assigned CVE-2020-0986 for the Windows 10 elevation of privileges flaw, and CVE-2020-1380 for the Internet Explorer remote code execution vulnerability.

The latter flaw exists in the Internet Explorer scripting engine jscript9.dll, and relates to how this engine handles objects in memory. The vulnerability could allow an attacker to compromise a system when a user navigates to a malicious site or opens malicious files.

Hackers combined this flaw with the Windows 10 privilege escalation vulnerability to target an unamed South Korean company with malware, as detailed by a technical analysis published by the cyber security company. The firm managed to stop the attack just before hackers applied the final payload, however.

The Windows 10 flaw was initially reported to Microsoft in December 2019 through Trend Micro’s Zero Day Initiative (ZDI), although no action was taken. The vulnerability was subsequently made public on 19 May, six months following disclosure, and the flaw was exploited the next day in the chained attack, according to Kaspersky.

After Kaspersky researchers then reported this attack to Microsoft on 8 June, the company revealed that it had already prepared a patch for CVE-2020-0986, although it didn’t deem exploitation as being highly likely. Microsoft applied its patch on 9 June, a month after the attack on the South Korean firm, while the patch for the Internet Explorer flaw was only released earlier this week on 11 August.

Related Resource

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Researchers were unable to establish a definitive link with any known cyber gangs, although suggested that the hackers behind the DarkHotel spearphishing campaign may be behind this attack, due to similarities with previously discovered exploits.

This group is also rumoured to be behind recently attempted hacks against the World Health Organisation (WHO), with the organisation fending off a cyber attack in March this year.

Active since at least 2007, according to Kaspersky’s SecureList, the group is known to have a high success rate in its phishing campaigns. The group also targeted hotel WI-Fi networks in 2014 to steal information from visitors and delete confidential information.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021