Maksim Kabakou - Fotolia

Kaspersky reveals 2 Windows zero-days from failed attack

Kaspersky prevented an attack against a South Korean company back in May that used two zero-day vulnerabilities. One, arguably the more dangerous, focused on Internet Explorer.

Kaspersky Labs uncovered two zero-day vulnerabilities in a thwarted attack against a South Korean company back in May.

The endpoint security vendor revealed the details of the attack and the two zero-day vulnerabilities on Wednesday. The first zero-day (CVE-2020-1380), arguably the more dangerous of the two, would allow threat actors to execute arbitrary code remotely in Internet Explorer browsers (via Internet Explorer 11's JavaScript engine), and the second zero-day (CVE-2020-0986) is a Windows kernel flaw that, at least as far as this attack is concerned, was used in tandem with the Internet Explorer vulnerability to escalate privileges and access the whole operating system.

As for how Kaspersky stopped two zero-days, Kaspersky security expert Boris Larin told SearchSecurity that, "Kaspersky products detected the initial attack, blocked it from execution and then made alert about the detected and blocked attack, including identified exploits."

The attack was given a name: Operation PowerFall.

"String 'PowerFall' is not contained anywhere in artifacts of this operation, but we have come up with this name trying to emphasize how PowerShell is executed at the end of the exploit chain and pretends to download a benign software update," Larin said.

While no link between the actors behind PowerFall and other campaigns has been conclusively drawn,  there is some suspicion that the attack could be connected to DarkHotel, an APT Kaspersky discovered back in 2014. That said, it's only suspicion, and there are no conclusive ties between PowerFall and DarkHotel to date.

When Kaspersky researchers informed Microsoft of their findings, "the company said it already knew about the second vulnerability (in the system service) and had even made a patch for it. But until we informed them about the first vulnerability (in IE11), they considered its exploitation unlikely," Kaspersky's blog post on the campaign said.

Microsoft fixed the Internet Explorer zero-day in its Patch Tuesday release for this month. The Windows kernel flaw was patched in June.

One notable part of the security company's blog post discussed Internet Explorer, Microsoft's legacy browser that has been phased out in favor of the company's newer Edge browser. Despite that, Internet Explorer still poses risks to enterprises.

"Even if you don't willingly use IE, and it is not your default browser, that doesn't mean your system cannot be infected through an IE exploit -- some applications do use it from time to time," the blog post read. "Take Microsoft Office, for example: It uses IE to display video content in documents. Cybercriminals can also call and exploit Internet Explorer through other vulnerabilities."

Larin noted that the browser still has some popularity, especially in Asia. When asked about the potential attack surface of Internet Explorer, Larin called it "quite big" and explained that since Microsoft hasn't developed it in approximately half a decade, "it's a fair to say that its security is five years behind others modern web browsers." However, "the real issue of IE is that it supports and contains a big number of legacy features and code, and old code is prone to security vulnerabilities."

There's one more issue, Larin said: Internet Explorer is deeply built into the Windows OS. For example, he explained, Microsoft Office uses the browser to display web-based content. In addition, "IE is still used by enterprises who need such legacy solutions like VBScript."

Dig Deeper on Application and platform security