Operation PowerFall - Yet Another Attack Campaign Using Zero-Day Exploits

Kaspersky recently revealed details about an attack campaign, launched in May 2020, against a South Korean company.


What happened?

Dubbed “Operation PowerFall,” the attack campaign involved exploitation zero-day vulnerabilities in Windows and Internet Explorer.
  • These full chain exploits target the latest builds of Windows 10 OS (build 18363 x64) and Internet Explorer 11. 
  • The attack consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer (CVE-2020-1380) and an elevation of privilege exploit (CVE-2020-0986) for Windows.
  • Based on the similarities with previously disclosed vulnerabilities, researchers concluded that these attacks were probably carried out by the DarkHotel group.


Recent vulnerabilities in IE

  • The most recent set of zero-day exploits (CVE-2020-0674, CVE-2019-1429, CVE-2019-0676, and CVE-2018-8653) also relied on the vulnerabilities in the legacy JavaScript engine, similar to the new one.
  • While the previous set of vulnerabilities exploited a slightly older version of the IE Javascript engine, a new exploit was found targeting the latest version (jscript9.dll).


Previous attacks on IE

Earlier this year, several attacks leveraging vulnerabilities in IE have been observed in the wild.
  • In July 2020, the Purple Fox exploit kit added two new exploits (CVE-2020-0674 and CVE-2019-1458) targeting critical- and high-severity Microsoft IE vulnerabilities.
  • In March, it was revealed that an unnamed group of hackers was using five zero-day vulnerabilities, including CVE-2020-0674 in IE, to target North Korea-focused professionals.


The bottom line

Both vulnerabilities have been already patched by Microsoft. Due to threats like this, it becomes all the more important for organizations to practice countermeasures such as reducing the exposed attack surface, leveraging behavior-based threat analysis, and implementing a rigorous patch management process.