التكنولوجيا وأخبارها بوابة الإمارات لتكنولوجيا المعلومات والإتصالات
aspersky finds zero-day exploits in Windows OS and Internet Explorer used in targeted attack
In late spring 2020, Kaspersky’s automated detection technologies prevented a targeted attack on a South Korean company. Closer analysis revealed that this attack used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privileges (EoP) exploit for Windows. The latter was targeting the latest versions of Windows 10.
A zero-day vulnerability is a type of previously unknown
software bug. Once discovered, they make it possible to
conduct malicious activities discreetly, causing serious and
unexpected damage.
While investigating the above mentioned attack, Kaspersky
researchers were able to find two zero-day vulnerabilities.
The first exploit for Internet Explorer is a Use-After-Free –
a type of vulnerability that can enable full remote code
execution capabilities. This exploit was assigned as CVE-
2020-1380.
However, since Internet Explorer works in an isolated
environment, attackers needed more privileges on the
infected machine. That is the reason they needed the
second exploit, found in Windows and using a vulnerability
in the printer service. It allowed the attackers to execute
arbitrary code on the victim’s machine. This elevation of
privileges (EoP) exploit was assigned as CVE-2020-0986.
“When in the wild attacks with zero-day vulnerabilities
happen, it is always big news for the cybersecurity
community. Successful detection of such a vulnerability
immediately pressures vendors to issue a patch and forces
users to install all necessary updates. What is particularly
interesting in the discovered attack is that the previous
exploits we found were mainly about elevation of
privileges. However, this case includes an exploit with
remote code execution capabilities which is more
dangerous. Coupled with the ability to affect the latest
Windows 10 builds, the discovered attack is truly a rare
thing nowadays. It reminds us once again to invest into
prominent threat intelligence and proven protective
technologies to be able to proactively detect the latest
zero-day threats,” comments Boris Larin, security expert at
Kaspersky.
Kaspersky experts have a medium level of confidence that
the attack can be attributed to DarkHotel based on weak
similarities between the new exploit and previously
discovered exploits that are attributed to this threat actor.
Detailed information on Indicators of Compromise related
to this group, including file hashes and C2 servers, can be
accessed on Kaspersky Threat Intelligence Portal.
Kaspersky products detect these exploits with next verdict
PDM:Exploit.Win32.Generic.
A patch for elevation of privilege vulnerability CVE-2020-
0986 was released on June 9th, 2020.
A patch for remote code execution vulnerability CVE-2020-
1380 was released on August 11th, 2020.
To stay safe from the threat, Kaspersky recommends taking
the following security measures:
Install Microsoft’s patches for the new vulnerabilities as
soon as possible. Once both patches are downloaded,
threat actors can no longer abuse the vulnerability.
Provide your SOC team with access to the latest threat
intelligence (TI). Kaspersky Threat Intelligence Portal is a
single point of access for the company’s TI, providing
cyberattack data and insights gathered by Kaspersky over
more than 20 years.
For endpoint level detection, investigation and timely
remediation of incidents, implement EDR solutions such
as Kaspersky Endpoint Detection and Response.
In addition to adopting essential endpoint protection,
implement a corporate-grade security solution that detects
advanced threats on the network level at an early stage,
such as Kaspersky Anti Targeted Attack Platform.
For further details on the new exploits, see the full report
on Securelist.
To take a closer look at the technologies that detected this
and other zero-days in Microsoft Windows, a recorded
Kaspersky webinar is available to view on demand.
