CVE-2019-13720 flaw in Chrome exploited in Operation WizardOpium attacks

One of the two flaws in Chrome addressed by Google, CVE-2019-13720, was exploited in a campaign that experts attribute to Korea-linked threat actors.

This week Google released security updates to address two high severity vulnerabilities in the Chrome browser, one of which is a zero-day flaw actively exploited in attacks in the wild to hijack computers.

The vulnerabilities, tracked as CVE-2019-13720 and CVE-2019-13721, reside respectively in Chrome’s audio component and in the PDFium library.

“[$7500][1013868] High CVE-2019-13721: Use-after-free in PDFium. Reported by banananapenguin on 2019-10-12[$TBD][1019226] High CVE-2019-13720: Use-after-free in audio. Reported by Anton Ivanov and Alexey Kulaev at Kaspersky Labs on 2019-10-29″ reads the advisory published by Google. “Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild.”

The zero-day flaw in the audio component, CVE-2019-13720, was reported by Kaspersky researchers Anton Ivanov and Alexey Kulaev. According to the security duo, the high-severity use-after-free flaw has been found exploited in the wild, though the experts did not attribute the attacks to a specific threat actor.

Now Kaspersky provided further details about the attacks that exploited the CVE-2019-13720 discovered by its experts and reported to Google on October 29.

According to Kaspersky, the CVE-2019-13720 has been exploited by threat actors as part of a campaign tracked as Operation WizardOpium.

The researchers pointed out that the campaign has very weak code similarities with past Lazarus‘s operations, but the evidence they collected doesn’t allow a certain attribution.

“We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag.” reads a post published by Kaspersky.

At least one of the websites targeted in Operation WizardOpium is in line with earlier attacks of the DarkHotel operation.

The first Darkhotel espionage campaign was spotted by experts at Kaspersky Lab in late 2014, according to the researchers the APT group has been around for nearly a decade while targeting selected corporate executives traveling abroad.

According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

The attackers carried out a watering-hole attack on a Korean-language news portal, they planted a malicious JavaScript code on the main page, which in turn, loads a profiling script from a remote site.

The script checks visitors’ browser and operating system and determine if it is possible to trigger the Chrome zero-day.

“The script then loads another script named .charlie.XXXXXXXX.js. This JavaScript checks if the victim’s system can be infected by performing a comparison with the browser’s user agent, which should run on a 64-bit version of Windows and not be a WOW64 process; it also tries to get the browser’s name and version.” continues the analysis. “The vulnerability tries to exploit the bug in Google Chrome browser and the script checks if the version is greater or equal to 65 (current Chrome version is 78):”

Once the exploit code is successfully triggered, the attackers deliver an encrypted payload disguised as a .jpg file, then it is decrypted and an executable file is dropped and run.

Researchers at Kaspersky only revealed that the final payload gains persistence by using the Windows Task Scheduler, it has a modular structure and the main module is able to download other modules from the C2 server.

The analysis published by Kaspersky includes additional details about the attack, including the Indicators of Compromise (IoCs).

This year Google also addressed another zero-day flaw in the Chrome browser tracked as CVE-2019-5786 that was actively exploited in attacks in the wild.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CVE-2019-13720, Lazarus)

[adrotate banner=”5″]

[adrotate banner=”13″]