Microsoft fixed a critical zero-day vulnerability that North Korean hackers were using to attack security researchers with malware.
The in-the-wild attacks surfaced in January, in posts from Google and Microsoft. Hackers supported by the North Korean government, the two posts said, spent weeks developing working relationships with security researchers. To gain the trust of the researchers, the hackers created a research blog and personas on Twitter that contacted the researchers to ask if they wanted to collaborate on a project.
Finally, Twitter’s fake profiles asked researchers to use Internet Explorer to open a web page. Those who took the bait would find that their fully repaired Windows 10 machine installed a malicious service and a backdoor in memory that contacted a hacker-controlled server.
Microsoft fixed the vulnerability on Tuesday. CVE-2021-26411, as the security breach is traced, is classified as critical and requires only low complexity attack code to be exploited.
From rags to riches
Google just said that the people who looked for the researchers worked for the North Korean government. Microsoft said they were part of Zinc, Microsoft’s name for a group of threats better known as Lazarus. Over the past decade, Lazarus has transformed from a disorganized group of hackers to what can often be a formidable threat actor.
A 2019 United Nations report estimated that Lazarus and associated groups generated $ 2 billion for the country’s weapons of mass destruction programs. Lazarus was also linked to the Wannacry worm that shut down computers around the world, Mac file-less malware, malware that targets ATMs and malicious Google Play apps that target deserters.
In addition to using the watering-hole attack that exploited IE, the Lazarus hackers who targeted the researchers also sent the targets a Visual Studio project that supposedly contains the source code for a proof-of-concept exploration. Hidden within the project was custom malware that contacted the attacker’s control server.
Although Microsoft describes CVE-2021-26411 as an “Internet Explorer memory corruption vulnerability”, Monday’s statement says that the vulnerability also affects Edge, a browser that Microsoft built from scratch that is considerably more secure than IE. The vulnerability maintains its critical rating for Edge, but there are no reports that exploits are actively targeting users of that browser.
The patch came as part of Microsoft’s update on Tuesday. In all, Microsoft released 89 patches. In addition to the IE vulnerability, a separate escalation privilege flaw in the Win32k component is also under active exploitation. The patches will be installed automatically over the next two days. Those who want updates immediately should go to Start> settings (the gear icon)> Update and security> Windows Update.