Microsoft Patches Windows Zero-Day Exploited in Korea-Linked Attacks

Microsoft’s December 2019 Patch Tuesday updates fix a total of 36 vulnerabilities, including a Windows zero-day that has been exploited in attacks alongside a Chrome zero-day.

The Windows zero-day patched this week is CVE-2019-1458, a privilege escalation flaw related to how the Win32k component handles objects in memory. An attacker can exploit the security hole to execute arbitrary code in kernel mode, Microsoft said.

Microsoft has credited Kaspersky for reporting the vulnerability and confirmed that the weakness has been exploited against older versions of Windows.

According to Kaspersky, the zero-day has been exploited in a campaign called Operation WizardOpium. The security firm’s first public mention of this operation was on November 1, shortly after Google announced that it had patched a Chrome vulnerability exploited in attacks.

Kaspersky says the Chrome exploit also embeds an exploit for the vulnerability patched this week by Microsoft. This allows the attackers to escalate privileges on the compromised system and escape the Chrome process sandbox.

The company believes the exploit was developed by an individual known as “Volodya,” who has been selling exploits to both cybercrime and advanced persistent threat (APT) groups.

Kaspersky has determined that the privilege escalation exploit works against Windows 7 and some Windows 10 builds, but the latest Windows 10 builds are not impacted.

“The vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That’s why the exploit’s code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation,” Kaspersky explained.

The file containing the exploit for CVE-2019-1458 was compiled on July 10.

In November, Kaspersky noted that it had found some code similarities that suggested a possible connection to the North Korea-linked threat actor named Lazarus. However, the company’s researchers believed this could be a false flag meant to make attribution more difficult.

They had also found similarities to attacks launched by DarkHotel, which has been known to target entities with an interest in North Korea and which some believe may be sponsored by South Korea. DarkHotel had previously used false flags similar to the ones spotted in Operation WizardOpium.

None of the vulnerabilities patched by Microsoft this month have been disclosed publicly. Of the remaining flaws, seven have been classified as “critical.” They impact Git for Visual Studio, Windows, and Hyper-V, and they all allow remote code execution.

Related: Buhtrap Group Used Windows Zero-Day in Government Attack

Related: Windows Zero-Day Exploited by FruityArmor, SandCat Threat Groups

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *