Hackers combine two unpatched Microsoft zero-days in attack on South Korean firm

Hackers combined two zero-day vulnerabilities in Windows 10 and Internet Explorer to target a South Korean company in a never-before-seen chained attack earlier in the year.

Cyber criminals exploited a remote code execution (RCE) flaw in Internet Explorer 11 together with an elevation of privilege exploitation for an up-to-date version of Windows 10 in May, according to researchers with Kaspersky.

Branded Operation PowerFall, the two flaws comprising the attack were assigned CVE-2020-0986 for the Windows 10 elevation of privileges flaw, and CVE-2020-1380 for the Internet Explorer remote code execution vulnerability.

The latter flaw exists in the Internet Explorer scripting engine jscript9.dll, and relates to how this engine handles objects in memory. The vulnerability could allow an attacker to compromise a system when a user navigates to a malicious site or opens malicious files.

Hackers combined this flaw with the Windows 10 privilege escalation vulnerability to target an unamed South Korean company with malware, as detailed by a technical analysis published by the cyber security company. The firm managed to stop the attack just before hackers applied the final payload, however.

The Windows 10 flaw was initially reported to Microsoft in December 2019 through Trend Micro’s Zero Day Initiative (ZDI), although no action was taken. The vulnerability was subsequently made public on 19 May, six months following disclosure, and the flaw was exploited the next day in the chained attack, according to Kaspersky.

After Kaspersky researchers then reported this attack to Microsoft on 8 June, the company revealed that it had already prepared a patch for CVE-2020-0986, although it didn’t deem exploitation as being highly likely. Microsoft applied its patch on 9 June, a month after the attack on the South Korean firm, while the patch for the Internet Explorer flaw was only released earlier this week on 11 August.


Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future


Researchers were unable to establish a definitive link with any known cyber gangs, although suggested that the hackers behind the DarkHotel spearphishing campaign may be behind this attack, due to similarities with previously discovered exploits.

This group is also rumoured to be behind recently attempted hacks against the World Health Organisation (WHO), with the organisation fending off a cyber attack in March this year.

Active since at least 2007, according to Kaspersky’s SecureList, the group is known to have a high success rate in its phishing campaigns. The group also targeted hotel WI-Fi networks in 2014 to steal information from visitors and delete confidential information.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.