Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Microsoft Patches Windows Zero-Day Exploited in Korea-Linked Attacks

Microsoft’s December 2019 Patch Tuesday updates fix a total of 36 vulnerabilities, including a Windows zero-day that has been exploited in attacks alongside a Chrome zero-day.

Microsoft’s December 2019 Patch Tuesday updates fix a total of 36 vulnerabilities, including a Windows zero-day that has been exploited in attacks alongside a Chrome zero-day.

The Windows zero-day patched this week is CVE-2019-1458, a privilege escalation flaw related to how the Win32k component handles objects in memory. An attacker can exploit the security hole to execute arbitrary code in kernel mode, Microsoft said.

Microsoft has credited Kaspersky for reporting the vulnerability and confirmed that the weakness has been exploited against older versions of Windows.

According to Kaspersky, the zero-day has been exploited in a campaign called Operation WizardOpium. The security firm’s first public mention of this operation was on November 1, shortly after Google announced that it had patched a Chrome vulnerability exploited in attacks.

Kaspersky says the Chrome exploit also embeds an exploit for the vulnerability patched this week by Microsoft. This allows the attackers to escalate privileges on the compromised system and escape the Chrome process sandbox.

The company believes the exploit was developed by an individual known as “Volodya,” who has been selling exploits to both cybercrime and advanced persistent threat (APT) groups.

Kaspersky has determined that the privilege escalation exploit works against Windows 7 and some Windows 10 builds, but the latest Windows 10 builds are not impacted.

“The vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That’s why the exploit’s code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation,” Kaspersky explained.

The file containing the exploit for CVE-2019-1458 was compiled on July 10.

In November, Kaspersky noted that it had found some code similarities that suggested a possible connection to the North Korea-linked threat actor named Lazarus. However, the company’s researchers believed this could be a false flag meant to make attribution more difficult.

They had also found similarities to attacks launched by DarkHotel, which has been known to target entities with an interest in North Korea and which some believe may be sponsored by South Korea. DarkHotel had previously used false flags similar to the ones spotted in Operation WizardOpium.

None of the vulnerabilities patched by Microsoft this month have been disclosed publicly. Of the remaining flaws, seven have been classified as “critical.” They impact Git for Visual Studio, Windows, and Hyper-V, and they all allow remote code execution.

Related: Buhtrap Group Used Windows Zero-Day in Government Attack

Related: Windows Zero-Day Exploited by FruityArmor, SandCat Threat Groups

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.