Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Microsoft Patches Windows Zero-Day Exploited in Korea-Linked Attacks

Microsoft’s December 2019 Patch Tuesday updates fix a total of 36 vulnerabilities, including a Windows zero-day that has been exploited in attacks alongside a Chrome zero-day.

Microsoft’s December 2019 Patch Tuesday updates fix a total of 36 vulnerabilities, including a Windows zero-day that has been exploited in attacks alongside a Chrome zero-day.

The Windows zero-day patched this week is CVE-2019-1458, a privilege escalation flaw related to how the Win32k component handles objects in memory. An attacker can exploit the security hole to execute arbitrary code in kernel mode, Microsoft said.

Microsoft has credited Kaspersky for reporting the vulnerability and confirmed that the weakness has been exploited against older versions of Windows.

According to Kaspersky, the zero-day has been exploited in a campaign called Operation WizardOpium. The security firm’s first public mention of this operation was on November 1, shortly after Google announced that it had patched a Chrome vulnerability exploited in attacks.

Kaspersky says the Chrome exploit also embeds an exploit for the vulnerability patched this week by Microsoft. This allows the attackers to escalate privileges on the compromised system and escape the Chrome process sandbox.

The company believes the exploit was developed by an individual known as “Volodya,” who has been selling exploits to both cybercrime and advanced persistent threat (APT) groups.

Kaspersky has determined that the privilege escalation exploit works against Windows 7 and some Windows 10 builds, but the latest Windows 10 builds are not impacted.

“The vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That’s why the exploit’s code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation,” Kaspersky explained.

Advertisement. Scroll to continue reading.

The file containing the exploit for CVE-2019-1458 was compiled on July 10.

In November, Kaspersky noted that it had found some code similarities that suggested a possible connection to the North Korea-linked threat actor named Lazarus. However, the company’s researchers believed this could be a false flag meant to make attribution more difficult.

They had also found similarities to attacks launched by DarkHotel, which has been known to target entities with an interest in North Korea and which some believe may be sponsored by South Korea. DarkHotel had previously used false flags similar to the ones spotted in Operation WizardOpium.

None of the vulnerabilities patched by Microsoft this month have been disclosed publicly. Of the remaining flaws, seven have been classified as “critical.” They impact Git for Visual Studio, Windows, and Hyper-V, and they all allow remote code execution.

Related: Buhtrap Group Used Windows Zero-Day in Government Attack

Related: Windows Zero-Day Exploited by FruityArmor, SandCat Threat Groups

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...