Operation PowerFall: Two zero-day vulnerabilities

Our technologies prevented an attack. Expert analysis revealed the exploitation of two previously unknown vulnerabilities. What you need to know.

Our technologies prevented an attack on a South Korean company recently. That’s just your average Wednesday, you might say — but while analyzing the cybercriminals’ tools, our experts discovered two whole zero-day vulnerabilities. They found the first in Internet Explorer 11’s JavaScript engine. That one enabled the attackers to remotely execute arbitrary code. The second, detected in an operating system service, let the attackers escalate privileges and perform unauthorized actions.

The exploits for these vulnerabilities operated in tandem. First, the victim was slipped a malicious script that a hole in Internet Explorer 11 allowed to run; and then a flaw in the system service further escalated the malicious process’s privileges. As a result, the attackers were able to take control of the system. Their goal was to compromise the computers of several employees and penetrate the organization’s internal network.

Our experts have dubbed this malicious campaign Operation PowerFall. At present, researchers have found no inarguable link between this campaign and known actors. However, judging by the similarity of the exploits, they haven’t ruled out involvement by DarkHotel.

When our researchers informed Microsoft of their findings, the company said it already knew about the second vulnerability (in the system service) and had even made a patch for it. But until we informed them about the first vulnerability (in IE11), they considered its exploitation unlikely.

CVE-2020-1380 Acknowledgements

How is CVE-2020-1380 dangerous?

The first vulnerability is in the library jscript9.dll, which all versions of Internet Explorer since IE9 use by default. In other words, the exploit for this vulnerability is dangerous for modern versions of the browser. (“Modern” is perhaps a slight misnomer given that Microsoft stopped developing Internet Explorer after the release of Edge, with Windows 10). But along with Edge, Internet Explorer is still installed by default in the latest Windows, and it remains an important component of the operating system.

Even if you don’t willingly use IE, and it is not your default browser, that doesn’t mean your system cannot be infected through an IE exploit — some applications do use it from time to time. Take Microsoft Office, for example: It uses IE to display video content in documents. Cybercriminals can also call and exploit Internet Explorer through other vulnerabilities.

CVE-2020-1380 belongs to the Use-After-Free class — the vulnerability exploits the incorrect use of dynamic memory. You can read a detailed technical description of the exploit with indicators of compromise in the post “Internet Explorer 11 and Windows 0-day exploits full chain used in Operation PowerFall” on the Securelist website.

How to protect yourself

Microsoft released a patch for CVE-2020-0986 (in the Windows kernel) on June 9, 2020. The second vulnerability, CVE-2020-1380, was patched on August 11. If you update your operating systems regularly, they should already be protected against Operation PowerFall–type attacks.

However, zero-day vulnerabilities pop up all the time. To keep your company safe, you need to use a solution with anti-exploit technologies, such as Kaspersky Security for Business. One of its components, the Exploit Prevention subsystem, identifies attempts to exploit zero-day vulnerabilities.

In addition, we recommend using modern browsers that receive regular security updates.