Early this week, Google has issued essential security updates to address the two flaws in the Chrome browser. One of the flaws in this massive attack, CVE-2019-13720, is said to have been used in campaigns used by a group of Koreans in attacks to hijack computers.
The two flaws are known as CVE-2019-13720 and CVE-2019-13721, which are both in the PDFium library and audio component of Chrome.
CVE-2019-13720, a zero-day flaw found in the audio component, was reported by Alexey Kulaev and Anton Ivanov researchers from Kaspersky Lab. According to the two, it is a high severity use-after-free flaw, which is utilized in many attacks, but many experts do not believe that any party makes these attacks.
However, the experts from Kaspersky refuses to believe that, and now they provided details of the attacks and reported it to Google last October 29. The flaw used by other entities as part of the campaign called Operation WizardOpium.
According to Kasperksy, the campaign has faint similarities with the Lazarus attacks; there is not enough evidence to link them. Instead, they mentioned that it could also be a false flag in a post.
At least one of the websites attacked in the Operation Wizard Opium has similarities with some of the attacks of the earlier DarkHotel Operations. The experts first spotted this campaign in Kaspersky Lab in 2014. The researches believed that the APT group has been existing for a decade and targeting corporate executives who are traveling abroad.
The attackers behind the DarkHotel campaign aim is to get sensitive data from these executives while who are staying at luxury hotels. The bad news is the hackers are still around and very much active. In the recent attacks, they made a watering hole hit on a Korean-language portal site dedicated to news releases. They did this by planting an infected JavaScript code on the main page. It then loads the profiling script controlled from another remote site. By checking the visitor’s browser history and its operating system, it determines whether it is possible to trigger the zero-day flaw in Chrome.
The check in the user’s system is done to make sure that it can be infected by performing a comparison with the user’s browser. It should run on Windows’ 64-bit version. It will also try to get the browser’s name and version.
Once this code containing explicit command is successfully triggered, the hacker would be able to deliver an encrypted code that is masked as a jpeg file. It will be decrypted, making it an executable file ready to run.
Kaspersky Lab further revealed that the payload would only enter the system through Windows Task Scheduler. This is because this system has a modular structure that and its main modules can download other programs from the C2 server. It also included in its published report the details of the hacker’s attacks, along with indicators of compromise (IoCs).
This is not the first time this year that Google Chrome got compromised. It has addressed another flaw, CVE-2019-5786, which was used actively by hackers.