In May 2020, Kaspersky’s automated detection technologies prevented a targeted attack on a South Korean company. Closer analysis revealed that this attack used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privileges (EoP) exploit for Windows. The latter was targeting the latest versions of Windows 10.
A zero-day vulnerability is a type of previously unknown software bug. Once discovered, they make it possible to conduct malicious activities discreetly, causing serious and unexpected damage.
While investigating the above-mentioned attack, Kaspersky researchers were able to find two zero-day vulnerabilities. The first exploit for Internet Explorer is a Use-After-Free – a type of vulnerability that can enable full remote code execution capabilities. This exploit was assigned as CVE-2020-1380.
However, since Internet Explorer works in an isolated environment, attackers needed more privileges on the infected machine. That is the reason they needed the second exploit, found in Windows and using a vulnerability in the printer service. It allowed the attackers to execute arbitrary code on the victim’s machine. This elevation of privileges (EoP) exploit was assigned as CVE-2020-0986.
“When in the wild attacks with zero-day vulnerabilities happen, it is always big news for the cybersecurity community. Successful detection of such a vulnerability immediately pressures vendors to issue a patch and forces users to install all necessary updates. What is particularly interesting in the discovered attack is that the previous exploits we found were mainly about elevation of privileges. However, this case includes an exploit with remote code execution capabilities which is more dangerous. Coupled with the ability to affect the latest Windows 10 builds, the discovered attack is truly a rare thing nowadays. It reminds us once again to invest into prominent threat intelligence and proven protective technologies to be able to proactively detect the latest zero-day threats,” comments Boris Larin, security expert at Kaspersky.
Kaspersky experts have a medium level of confidence that the attack can be attributed to DarkHotel based on weak similarities between the new exploit and previously discovered exploits that are attributed to this threat actor.
Detailed information on Indicators of Compromise related to this group, including file hashes and C2 servers, can be accessed on Kaspersky Threat Intelligence Portal.
Kaspersky products detect these exploits with next verdict PDM:Exploit.Win32.Generic. A patch for elevation of privilege vulnerability CVE-2020-0986 was released on June 9, 2020 while a patch for remote code execution vulnerability CVE-2020-1380 was released on August 11, 2020.
To stay safe from the threat, Kaspersky recommends taking the following security measures:
- Install Microsoft’s patches for the new vulnerabilities as soon as possible. Once both patches are downloaded, threat actors can no longer abuse the vulnerability.
- Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20-years.
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.