Microsoft Patches Windows Zero-Day Exploited in Korea-Linked Attacks
Microsoft’s December 2019 Patch Tuesday updates fix a total of 36 vulnerabilities, including a Windows zero-day that has been exploited in attacks alongside a Chrome zero-day.
The Windows zero-day patched this week is CVE-2019-1458, a privilege escalation flaw related to how the Win32k component handles objects in memory. An attacker can exploit the security hole to execute arbitrary code in kernel mode, Microsoft said.
Microsoft has credited Kaspersky for reporting the vulnerability and confirmed that the weakness has been exploited against older versions of Windows.
According to Kaspersky, the zero-day has been exploited in a campaign called Operation WizardOpium. The security firm’s first public mention of this operation was on November 1, shortly after Google announced that it had patched a Chrome vulnerability exploited in attacks.
Kaspersky says the Chrome exploit also embeds an exploit for the vulnerability patched this week by Microsoft. This allows the attackers to escalate privileges on the compromised system and escape the Chrome process sandbox.
The company believes the exploit was developed by an individual known as “Volodya,” who has been selling exploits to both cybercrime and advanced persistent threat (APT) groups.
Kaspersky has determined that the privilege escalation exploit works against Windows 7 and some Windows 10 builds, but the latest Windows 10 builds are not impacted.
“The vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That’s why the exploit’s code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation,” Kaspersky explained.
The file containing the exploit for CVE-2019-1458 was compiled on July 10.
In November, Kaspersky noted that it had found some code similarities that suggested a possible connection to the North Korea-linked threat actor named Lazarus. However, the company’s researchers believed this could be a false flag meant to make attribution more difficult.
They had also found similarities to attacks launched by DarkHotel, which has been known to target entities with an interest in North Korea and which some believe may be sponsored by South Korea. DarkHotel had previously used false flags similar to the ones spotted in Operation WizardOpium.
None of the vulnerabilities patched by Microsoft this month have been disclosed publicly. Of the remaining flaws, seven have been classified as “critical.” They impact Git for Visual Studio, Windows, and Hyper-V, and they all allow remote code execution.