Windows, Chrome Zero-Days Chained in Operation WizardOpium Attacks

Zero-day vulnerabilities in Google Chrome and Microsoft Windows were used to download and install malware onto Windows computers that visited a Korean-language news portal.

A zero-day vulnerability is one that is known, but not patched by the developers in charge of patching the vulnerability. These zero-day vulnerabilities are particularly dangerous as they can be used by state-sponsored attackers to perform malicious activity on vulnerable devices.

Last month, Kaspersky revealed that they discovered a zero-day Google Chrome vulnerability that was actively being used in online attacks called Operation WizardOpium.

The attackers had hacked a Korean-language news site and injected a JavaScript tag into the site that would execute malicious scripts in the visitor's browser.

These loaded scripts would exploit a zero-day in Google Chrome that allowed attackers to download and install malware on compromised Windows systems. The downloaded malware would then download further payloads onto the affected machine from the attacker's command and control server.

After disclosing the vulnerability to Google, it was assigned CVE-2019-13720 and fixed in Chrome 78.0.3904.87.

While Kaspersky was not able to attribute the attacks to any particular threat actor, they state that there are "very weak code similarities" between this attack and Lazarus attacks.

"We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks."

Microsoft fixes Windows zero-day also used in Operation WizardOpium

Fast forward to today when Microsoft released their December 2019 Patch Tuesday security updates, we discover that the Operation WizardOpium attack chained together the Chrome zero-day as well as a Windows zero-day privilege elevation vulnerability to install the malware.

"During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox," Kaspersky explains in a new blog post.

The Windows zero-day is tracked as CVE-2019-1458 and it was used to gain elevated privileges on Windows machines and escape the Chrome sandbox to install the malware payload.

Both of these vulnerabilities have now been patched and this exploit chain is broken.

Kaspersky detects the Chrome vulnerability as Exploit.Win32.Generic and the Microsoft one as  PDM:Exploit.Win32.Generic.