Microsoft has patched a critical zero-day vulnerability that North Korean hackers used to attack security researchers with malware.
The in-the-wild attacks came to light in January in reports from Google and Microsoft. Hackers, backed by the North Korean government, have spent weeks developing working relationships with security researchers, according to both reports. To gain the trust of the researchers, the hackers created a research blog and Twitter personas that reached out to researchers to ask if they wanted to collaborate on a project.
Finally, the fake Twitter profiles asked the researchers to use Internet Explorer to open a webpage. Those in the bait would find that their fully patched Windows 10 machine installed a malicious service and an in-memory backdoor that contacted a hacker-controlled server.
Microsoft patched the vulnerability on Tuesday. CVE-2021-26411, as the security flaw is followed, is rated critical and only requires low complexity attack code to exploit.
From rags to riches
Google only said that the people who contacted the investigators were working for the North Korean government. Microsoft said they were part of Zinc, Microsoft’s name for a threat group better known as Lazarus. Over the past decade, Lazarus has transformed from a patchwork of hackers into what can often be a formidable threat actor.
A 2019 United Nations report estimates that Lazarus and related groups generated $2 billion for the country’s weapons of mass destruction. Lazarus has also been linked to the Wannacry worm that shuts down computers around the world, fileless Mac malware, malware targeting ATMs, and malicious Google Play apps targeting defectors.
In addition to using the watering-hole attack that exploited IE, the Lazarus hackers targeting the researchers also sent a Visual Studio project that supposedly contained source code for a proof-of-concept exploit. The project contained modified malware that contacted the attackers’ control server.
While Microsoft describes CVE-2021-26411 as an “Internet Explorer Memory Corruption Vulnerability,” Monday’s advisory says the vulnerability also affects Edge, a browser Microsoft built from scratch and significantly more secure than IE. The vulnerability maintains its critical rating for Edge, but there are no reports of exploits actively targeting users of that browser.
The patch came as part of Microsoft’s Update Tuesday. In total, Microsoft has released 89 patches. In addition to the IE vulnerability, a separate flaw in the escalation privileges in the Win32k component is also actively being exploited. Patches install automatically the next day or two. For those who want the updates immediately, go to Start > Settings (the gear icon) > Update & Security > Windows Update.