Kaspersky has thwarted an attack on a South Korean company in May 2020 that used two zero-day vulnerabilities; one of which is certainly considered the most dangerous focused in Internet Explorer.
The security investigation revealed the details of this attack on Wednesday. The first zero-day attack (CVE-2020-1380), probably the most dangerous, would allow hackers to execute code remotely via Internet Explorer browser (Via JavaScript engine in Internet Explorer 11), And the second zero-day (CVE-2020-0986) is a flaw in the Windows Kernel, which, at least in terms of this attack, was used at the same time as Internet Explorer vulnerabilities to escalate privileges by accessing all Windows operating systems.
As for how Kaspersky stopped two zero-days, Kaspersky security expert Boris Larin told Search-Security that, “Kaspersky products detected the initial attack, blocked it from execution and then made alert about the detected and blocked the attack, including identifying exploits.”
“String ‘PowerFall’ is not contained anywhere in artifacts of this operation, but we have come up with this name trying to emphasize how PowerShell is executed at the end of the exploit chain and pretends to download a benign software update,” Larin said.
No link between the actors behind PowerFall and other campaigns has been provided. There is a suspicion that after this attack there could be a connection with DarkHotel, a Kaspersky APT discovered in 2014. That said, it is only a suspicion, and there is no final connection with PowerFall and DarkHotel to date.
When Kaspersky researchers informed Microsoft of their findings, “the company said it already knew about the second vulnerability (in the system service) and had even made a patch for it. But until we informed them about the first vulnerability (in IE11), they considered its exploitation unlikely, “Kaspersky’s blog post on the campaign said.
Microsoft fixed Internet Explorer zero-day on Tuesday of this month. The Windows Kernel bug fixes it in June 2020.
“Even if you do not willingly use IE, and it is not your default browser, that does not mean your system can not be infected through an IE exploit – some applications do use it from time to time,” the blog post read . “Take Microsoft Office, for example: It uses IE to display video content in documents. Cybercriminals can also call and exploit Internet Explorer through other vulnerabilities.”
Larin noted that the browser still has some popularity, especially in Asia. When asked about the potential attack surface of Internet Explorer, Larin called it “quite big” and explained that since Microsoft hasn’t developed it in approximately half a decade, “it’s a fair to say that its security is five years behind others modern web browsers. ” However, “the real issue of IE is that it supports and contains a large number of legacy features and code, and old code is prone to security vulnerabilities.”
There’s one more issue, Larin said: Internet Explorer is deeply built into the Windows OS. For example, he explained, Microsoft Office uses the browser to display web-based content. In addition, “IE is still used by enterprises who need such legacy solutions like VBScript.”