IE11 and in Windows 10 Exploits demonstrate the need to be proactive and vigilant in defending against unknown vulnerabilities in browsers and operating systems

Recently, a targeted attack on a South Korean company was investigated and found to involve a previously-unknown full chain consisting of two zero-day exploits.

The first exploit involved remote code execution for Internet Explorer 11: a “Use-After-Free” – a type of vulnerability that can enable full remote code execution capabilities. This exploit was assigned as CVE-2020-1380. Since Internet Explorer 11 works in an isolated environment, attackers needed more privileges on the infected machine. That is the reason for the second exploit.

The second exploit involved an elevation of privileges (EoP) exploit targeting the latest versions of Windows 10, using a vulnerability in the printer service. It allows attackers to execute arbitrary code on the target machine. This elevation of privileges (EoP) exploit was assigned as CVE-2020-0986.

According to Boris Larin, A Kaspersky security expert: “What is particularly interesting in the discovered attack is that the previous exploits we found were mainly about elevation of privileges. However, this case includes an exploit with remote code execution capabilities, which is more dangerous. Coupled with the ability to affect the latest Windows 10 builds, the discovered attack is truly a rare thing nowadays. It reminds us once again to invest into prominent threat intelligence and proven protective technologies to be able to proactively detect the latest zero-day threats.”

Kaspersky experts suspect, with a low level of confidence, that the attack is linked to the DarkHotel campaign based on weak similarities between the new exploit and previously-discovered exploits that are attributed to this threat actor.

Detailed information on Indicators of Compromise related to this group, including file hashes and C2 servers, can be accessed on Kaspersky Threat Intelligence Portal.

Patches for the EoP vulnerability CVE-2020-0986 and remote code execution vulnerability CVE-2020-1380 were released on 9 June and 11 August, 2020 respectively.