Zero-day vulnerabilities (bugs in the software that were previously unknown) were revealed by Kaspersky after the company prevented a targeted attack on a South Korean company at the end of the first half of 2020.
The flaws include an exploit that allows remote code execution, which is present in Internet Explorer 11, and another elevation of privilege (EoP), which affects the latest versions of Windows 10.
Once exploited, these security holes allow malicious activities to be carried out in a discreet manner, being capable of causing major damage to systems.
The first of these, known as Use-After-Free, was identified as CVE-2020-1380. In order to be exploited to its full potential, however, hackers needed more advanced privileges after infecting the machine.
For this reason, it was necessary to explore the second flaw (CVE-2020-0986), which guarantees these special permissions by taking advantage of a gap in the Windows printing service.
Due to some similarities found during an attack previously carried out by the DarkHotel group, Kaspersky experts suspect that what happened at the end of the first semester may have been caused by the same cybercriminals.
About the problems, Boris Larin, Kaspersky security expert, comments:
When attacks occur through ‘zero-day’ vulnerabilities, this is always important news for the cybersecurity community. Successful detection of these vulnerabilities puts pressure on manufacturers to immediately issue a patch for the software and also reinforces the need for users to update it.
The previous exploits that we found mainly involve elevating privileges, one of which exploits remote code execution features, which is more dangerous.
Associated with the ability to affect the latest versions of Windows 10, the attack discovered is really rare today. It reminds us once again of investing in threat intelligence and quality protection technologies to be able to proactively detect the latest unknown threats
The good news is that a fix for the elevation of privilege vulnerability was released on June 9. For the second, related to Internet Explorer 11, the correction arrived a few hours ago, being released on August 11. Kaspersky recommends taking the following security measures to protect yourself from the threat:
Install Microsoft patches for new vulnerabilities as soon as possible. Once both patches have been downloaded, it will no longer be possible to exploit the vulnerabilities.
Allow the SOC team to access the latest threat intelligence reports. Kaspersky Threat Intelligence Portal is a single point of access to the company’s threat intelligence service, providing data and insights from cyber attacks that have been collected by Kaspersky for more than 20 years.
For the detection, investigation and rapid neutralization of incidents at the endpoint level, implement EDR solutions such as Kaspersky Endpoint Detection and Response and Kaspersky EDR Optimum.
In addition to adopting essential endpoint protection, implement an enterprise-grade security solution, capable of detecting advanced network-level threats early, such as the Kaspersky Anti Targeted Attack Platform.