25 C
Jaipur
Friday, October 23, 2020

Hackers Used Windows 0-day Exploit in Operation WizardOpium Attacks

Must read

huawei: Huawei ekes out third-quarter revenue growth as US restrictions bite – Latest News

Huawei Technologies Co Ltd eked out a gain in third-quarter revenue as the impact of the COVID-19 pandemic added to supply-chain difficulties brought about...

MEE Audio launches new range of Bluetooth audio accessories

MEE Audio has released a new range of audio products at different price points. There’s a new ‘MEE Audio Connect

Accenture along with SAP aims to take businesses into cloud-based open industry solutions

Accenture has announced it will be working side-by-side with SAP to help companies change their business operations with industry-specific solutions based on SAP’s...

huawei: Italy vetoes 5G deal between Fastweb and China’s Huawei: Sources – Latest News

Italy has prevented telecoms group Fastweb from signing a supply deal with Huawei for its 5G core network, two sources close to the matter...

Researchers discovered a newly patched Windows Zero-day vulnerability exploit already used in Operation WizardOpium attacks along with Chrome Zero-day exploit in last month.

GBHackers reported Operation WizardOpium attacks in November, and the attack was initially observed by Kaspersky researchers who have already uncovered a Google Chrome 0-day exploit that was used in the part of the attack.

Further detailed investigation revealed that the exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine and also escape the Chrome process sandbox.

Researchers observed the 2 different stages in EoP exploit, one is a tiny PE loader and another one is an actual exploit. Kaspersky products detect this exploit with the verdict PDM:Exploit.Win32.Generic.

EoP exploit indicates that the vulnerability it used belongs to the win32k.sys driver and that the EoP exploit was the 0-day exploit, and it was confirmed by the researchers when they have tested with an exploit against the latest (patched) versions of Windows 7 and even on a few builds of Windows 10.

Exploit Chrome and Bypass Sandbox Restriction

To bypass the Chrome sandbox restriction, attackers using vulnerable Javascript to achieving a read/write primitive in the renderer process of the browser to corrupts some pointers in memory to redirect code execution to the PE loader using PE exploit.

Later PE loader tries to locate the embedded DLL file in the Exploit, and continue the same process such as parsing PE headers, handling imports/exports and more.

Later the code execution process will be redirected to the entry point of the DLL ( DllEntryPoint) function.

” The PE code then creates a new thread, which is an entry point for the exploit itself, and the main thread simply waits until it stops. “

EoP exploit used in the attack (Credits: Kaspersky)

According to Kaspersky research ” The vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That’s why the exploit’s code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation.”

Details about how Exploit gets an arbitrary kernel read/write primitive is explained here. Once it obtained, then used to perform privilege escalation on the target system.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

huawei: Huawei ekes out third-quarter revenue growth as US restrictions bite – Latest News

Huawei Technologies Co Ltd eked out a gain in third-quarter revenue as the impact of the COVID-19 pandemic added to supply-chain difficulties brought about...

MEE Audio launches new range of Bluetooth audio accessories

MEE Audio has released a new range of audio products at different price points. There’s a new ‘MEE Audio Connect

Accenture along with SAP aims to take businesses into cloud-based open industry solutions

Accenture has announced it will be working side-by-side with SAP to help companies change their business operations with industry-specific solutions based on SAP’s...

huawei: Italy vetoes 5G deal between Fastweb and China’s Huawei: Sources – Latest News

Italy has prevented telecoms group Fastweb from signing a supply deal with Huawei for its 5G core network, two sources close to the matter...

huawei: Huawei reports 9.9% revenue growth in first 3 quarters of 2020 – Latest News

Huawei on Friday said that it generated a revenue of 671.3 billion yuan ($98.57 billion) in the first three quarters of this year, an...