Hacking

Microsoft fixes CVE-2019-1458 Windows Zero-Day exploited in NK-Linked attacks

Microsoft’s December 2019 Patch Tuesday updates fix a total of 36 flaws, including CVE-2019-1458 Windows zero-day exploited in North Korea-linked attacks

Microsoft’s December 2019 Patch Tuesday updates address a total of 36 flaws, including a Windows zero-day, tracked as CVE-2019-1458 exploited in attacks linked to North Korea. The vulnerability could be exploited to execute arbitrary code in kernel mode.

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisory published by Microsoft.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”

The CVE-2019-1458 vulnerability is a privilege escalation issue related to how the Win32k component handles objects in memory.

Microsoft addresses this vulnerability by correcting how Win32k handles objects in memory.

The vulnerability was reported by Kaspersky, experts at the security firm confirmed that the CVE-2019-1458 flaw has been exploited in a campaign called Operation WizardOpium.

“In November 2019, Kaspersky technologies successfully detected a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks.” reads the analysis published by Kaspersky. “The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as ‘Volodya’.”

The exploit was developed by an individual known as “Volodya,” who has been offering for sale exploit in the cybercrime underground. 

The vulnerability has been exploited alongside the CVE-2019-13720 Chrome zero-day as part of a campaign tracked as Operation WizardOpium at the end of October.

The researchers pointed out that the campaign has very weak code similarities with past Lazarus‘s operations, but the evidence they collected doesn’t allow a certain attribution.

“We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag.” reads a post published by Kaspersky.

At least one of the websites targeted in Operation WizardOpium is in line with earlier attacks of the DarkHotel operation.

Kaspersky experts discovered that the Chrome exploit also embeds an exploit for the CVE-2019-1458 vulnerability that was used by attackers to escalate privileges on the compromised system and escape the Chrome process sandbox.

The privilege escalation exploit works against Windows 7 and some Windows 10 builds, according to the experts it doesn’t affect the latest Windows 10 builds.

“The vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That’s why the exploit’s code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation,” Kaspersky explained.

The experts noticed that the compilation timestamp for the file containing the exploit for CVE-2019-1458 was “Wed Jul 10 00:50:48 2019” that is different from the other binaries, a circumstance that indicates it has been in use for some time.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

5 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

16 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

21 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.