SCH.cx – Microsoft Has Patched a Critical Zero-day Vulnerability Exploited by North Korean Hackers. Microsoft has patched a critical zero-day vulnerability that North Korean hackers are using to target security researchers with malware.
In January, Google and Microsoft posts exposed these 0day attacks. Both posts stated that hackers supported by the North Korean government spent weeks developing working relationships with security researchers. In order to win the trust of researchers, hackers created a research blog and Twitter persona. They contacted the researchers and asked if they would like to collaborate on a project.
In the end, the fake Twitter profile required the researchers to use Internet Explorer to open a web page. Those who take the bait will find that their fully patched Windows 10 machine is installed with a malicious service and a memory backdoor that contacts a hacker-controlled server.
Microsoft patched the vulnerability on Tuesday, its number is CVE-2021-26411, the security vulnerability was rated as critical, only low-complexity attack code can be exploited. Google said the person who contacted the researchers worked for the North Korean government. Microsoft said that they are part of Zinc, which is what Microsoft calls a threat organization, and the threat organization is better known as Lazarus. In the past decade, Lazarus has transformed from a fragmented hacker group to a powerful threat actor.
According to reports, a United Nations report in 2019 estimated that Lazarus and related groups created US$2 billion for the country’s weapons of mass destruction program. Lazarus is also related to the Wannacry worm that shuts down computers around the world, fileless Mac malware, malware targeting ATMs, and malicious Google Play apps targeting defectors.
In addition to using the water hole attack using IE, the Lazarus hacker targeting the researcher also sent a Visual Studio project to the target, which allegedly contained the source code to verify the vulnerability. Custom malware is hidden inside the project, which can contact the attacker’s control server.
Although Microsoft described CVE-2021-26411 as an “Internet Explorer Memory Corruption Vulnerability,” Monday’s announcement stated that the vulnerability would also affect Edge. This is a browser built by Microsoft from the ground up and is much safer than IE, but it has not been reported. Said that the vulnerability has been actively targeted at users of the browser.
The patch is part of Microsoft’s Tuesday update. Microsoft released a total of 89 patches. In addition to the IE vulnerability, a separate escalation privilege vulnerability in the Win32k component is also being actively exploited. The patch will be installed automatically in the next one or two days. Users who want to update immediately should go to Start>Settings (gear icon)>Update and Security>Windows Update to install these security patches.