Hackers used flaws in Chrome and Windows to install malware

News by Rene Millman

Operation WizardOpium attack uses vulnerabilities to insert malicious JavaScript into Korean news portal - patch made available yesterday.

Security researchers have discovered a second zero-day vulnerability that was used in attacks on a Korean news website.

Dubbed Operation WizardOpium by Kaspersky, last month researchers found a zero-day exploit in Google Chrome. This exploit allowed attackers to execute arbitrary code on a victim’s machine. In a new blog post, researchers said that in further research, another vulnerability was discovered, this time in Windows OS.

This newly discovered Windows zero-day elevation of privileges (EoP) exploit (CVE-2019-1458) was embedded into a previously discovered Google Chrome exploit. Researchers said that this was used to gain higher privileges in the infected machine as well as to escape the Chrome process sandbox – a component built to protect the browser and the victim’s computer from malicious attacks.

Researchers said the exploit comprise two stages: a tiny PE loader and the actual exploit. After achieving a read/write primitive in the renderer process of the browser through vulnerable JS code, the PE exploit corrupts some pointers in memory to redirect code execution to the PE loader. This is done to bypass sandbox restrictions because the PE exploit cannot simply start a new process using native WinAPI functions.

Analysis revealed that the vulnerability belongs to the win32k.sys driver. The vulnerability could be abused on the latest patched versions of Windows 7 and even on a few builds of Windows 10 (new versions of Windows 10 have not been affected).

The vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That’s why the exploit’s code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation, according to researchers.

"This type of attack requires vast resources; however, it gives significant advantages to the attackers and as we can see, they are happy to exploit it. The number of zero-days in the wild continues to grow and this trend is unlikely to go away. Organisations need to rely on the latest threat intelligence available at hand and have protective technologies that can proactively find unknown threats such as zero-day exploits," said Anton Ivanov, security expert at Kaspersky.

The vulnerability was reported to Microsoft and patched yesterday. 

Patrice Puichaud, senior director of the SEs, EMEA and APAC at SentinelOne, told SC Media UK that organisations should start ensuring they have a comprehensive approach to network security. 

"Your defensive strategy needs to be proactively searching out weak points and blindspots. That means making sure all endpoints have protection, that admins have the ability to see into all network traffic, including encrypted traffic, and knowing exactly what is connected to your network, including Linux-powered IoT machines," he said.

Matt Aldridge, principal solutions architect at Webroot, told SC Media UK that due to the advanced nature of these types of attack, there can never be total certainty of protection.

"These zero-day exploits are worth many thousands of pounds to those who create them, and the nation state or organised crime organisations that purchase them, generally preserve them for use in specialist or targeted attacks," he said.

"So, a mass attack against businesses is less likely. However, in addition to all of the mitigations mentioned here, a solid backup and disaster recovery strategy is obviously a must, plus a solid detection and response capability at the endpoint and network level. This will ensure that successful breaches can be detected and contained, along with a regularly tested incident response process."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews