Microsoft’s December 2019 Patch Tuesday updates address a total of 36 flaws, including a Windows zero-day, tracked as CVE-2019-1458 exploited in attacks linked to North Korea. The vulnerability could be exploited to execute arbitrary code in kernel mode.
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisory published by Microsoft.
“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”
The CVE-2019-1458 vulnerability is a privilege escalation issue related to how the Win32k component handles objects in memory.
Microsoft addresses this vulnerability by correcting how Win32k handles objects in memory.
The vulnerability was reported by Kaspersky, experts at the security firm confirmed that the CVE-2019-1458 flaw has been exploited in a campaign called Operation WizardOpium.
“In November 2019, Kaspersky technologies successfully detected a Google Chrome 0-day
The exploit was developed by an individual known as “Volodya,” who
The vulnerability has been exploited alongside the CVE-2019-13720 Chrome
The researchers pointed out that the campaign has very weak code similarities with past Lazarus‘s operations, but the evidence they collected doesn’t allow a certain attribution.
“We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag.” reads a post published by Kaspersky.
At least one of the websites targeted in Operation WizardOpium is in line with earlier attacks of the DarkHotel operation.
Kaspersky experts discovered that the Chrome exploit also embeds an exploit for the CVE-2019-1458 vulnerability that was used by attackers to escalate privileges on the compromised system and escape the Chrome process sandbox.
The privilege escalation
“The vulnerability itself is related to windows switching functionality (for example, the one triggered using the
The experts noticed that the compilation timestamp for the file containing the exploit for CVE-2019-1458 was “Wed Jul 10 00:50:48 2019” that is different from the other binaries, a circumstance that indicates it has been in use for some time.
(SecurityAffairs – hacking, North Korea)