Critical day that targeted security researchers gets patch from Microsoft

Microsoft fixed a critical zero-day vulnerability that North Korean hackers used to target security researchers with malware.

The attacks in the wild were revealed in January in publications from Google and Microsoft. The North Korean government-backed hackers, according to the two reports, have spent weeks developing working relationships with security researchers. To gain the trust of the researchers, the hackers created a research blog and Twitter personas that contacted the researchers to ask if they wanted to collaborate on a project.

Eventually, the fake Twitter profiles told researchers to use Internet Explorer to open a web page. Those who took the bait will find that their fully patched Windows 10 machine installed a malicious service and an in-memory backdoor that contacted a server controlled by a hacker.

Microsoft corrected the vulnerability on Tuesday. CVE-2021-26411, because the security vulnerability is tracked, is considered critical and only requires low complexity attack code to exploit.

From rags to riches

Google only said that the people who contacted the researchers worked for the North Korean government. Microsoft has said it is part of Zinc, Microsoft’s name in a group of threats better known as Lazarus. Over the past decade, Lazarus has grown from a motley group of hackers to what can often be a formidable threat actor.

Lazarus and associated groups have reportedly generated $ 2 billion for the country’s weapons of mass destruction programs, according to a 2019 United Nations report. Lazarus has also been linked to the Wannacry worm that stops computers around the world, fileless Mac malware, malware that targets ATMs, and malicious Google Play apps that target defectors.

In addition to using the waterhole attack that exploited IE, the Lazarus hackers who targeted the researchers also sent targets a Visual Studio project that allegedly contained source code for a proof of concept exploit. Hidden inside the project was custom malware that contacted the attackers’ control server.

While Microsoft describes CVE-2021-26411 as an “Internet Explorer memory corruption vulnerability,” Monday’s notice says the vulnerability also affects Edge, a Microsoft browser built from scratch that is considerably more secure than IE. The vulnerability retains its critical rating for Edge, but there are no reports of any exploits actively targeting users of this browser.

The fix came as part of Microsoft’s update on Tuesday. In all, Microsoft released 89 fixes. Besides the IE vulnerability, a separate escalation privilege vulnerability in the Win32k component is also under active exploitation. The fixes will be installed automatically over the next two days. Those who want the updates immediately should go to Start> Settings (the gear icon)> Update & Security> Windows Update.