Confiant - Medium

Internet Explorer CVE-2019–1367 In the wild Exploitation — prelude

Read the original article: Internet Explorer CVE-2019–1367 In the wild Exploitation — prelude

Internet Explorer CVE-2019–1367 In the wild Exploitation — prelude

Photo by Darius Bashar on Unsplash

CVE-2019–1367 background and in-the-wild exploitations

There are some important aspects to know about CVE-2019–1367 before diving into the technical analysis including the intel around it and the series of events following the in-the-wild exploitations and Microsoft patches.

First of all, here is the bug class of this bug based on the Google P0 report:

JScript variable (represented as VAR structure) isn’t properly tracked by garbage collector

Is it important to understand the bug class. For example Google P0 will work on what they call a Variant Analysis, to discover additional vulnerabilities from the same bug class. Example CVE-2019–1429 is a result of Variant analysis of CVE-2019–1367.

In fact, the first in the wild exploitation from this bug class was seen in December 2018, exploiting CVE-2018–8653, discovered by Google TAG Team. This bug was then documented by Mcafee here and by Tetrane here.

Google TAG Team discovered CVE-2019–1367 exploited in the wild by a threat actor. No details were given at the time of Microsoft advisory.

But in a recent blog Google TAG Team discussed that North Korea or individuals who worked on North Korea-related issues were the main targets of this in-the-wild exploitations but no more elements were given regarding the threat actors behind these attacks at the time of the reporting.

Who are these threat actors?

Based on OSINT, and the data following this discovery, it seems that there are two main threat actors known to date caught exploiting CVE-2019–1367:

  • DarkHotel APT: A suspected Korean Peninsula APT actor, considered to be a skill-full, active, long-run (+10 years of existence) resourceful (state sponsored?) APT actor.

Magnitude Exploit KIT: An opportunistic Malvertiser, mostly targeting south Korea. Magnitude EK has been there since 2013, and known to drop very known ransomware families including: Locky, Cerber, Magniber, CryptoWall, GranCrab.. Known to rapidly integrate CVE’s into their exploitation chains. Magnitude has been active for many years, below is an tweet from 2013 showing some of their oldest CVE integrations:

So what’s CVE-2019–1367 impact?

CVE-2019–1367 enables Remote Code Execution (RCE) in the context of Internet explorer in all version from 8, 9, 10 and 11 due to a memory corruption in jscript.dll.

This means victims will ultimately be infected with a malware just by browsing to a web page aka 1-click exploit : Victims need to click at least one time into a link to get infected (different from 0-click exploits that requires no user interaction at all).

A scenario of 1-click exploit attack would be of watering hole type of attack, this is usually a technique of nation state APTs.

Note: most recent iOS exploits exploited in the wild were found in watering hole attacks, targeting certain populations.

We also see 1-click exploit used in malvertising (malicious ads) mostly by cyber crime/FIN actors. In the scenario where 1-click exploits are integrated into a chain of redirects like we see everyday in malicious advertising attack, this 1-click exploits could have a 0-click effect, since no user interaction will be required before getting infected.

Even though 1-click exploits are less valuable than 0-click exploits (and less pricey), they can have a similar devastating effect if integrated at the right place.

Microsoft released a patch and encouraged users to disable jscript.dll (a Legacy dll replaced by jscript9.dll) that can still be called with IE-8 compatibility mode enabled. This is typically enabled via the following tag:

<meta http-equiv=”X-UA-Compatible” content=”IE=8"></meta>

To give more context regarding CVE-2019–1367 we draw a timeline of events, that we collected (based on OSINT)

Timeline of the events

  • 24th September 2019: @_clem1 from Google TAG Team acknowledged by Microsoft. Darkhotel APT first time cited as linked to the in the wild exploitation of this bug:

  • 24th September 2019: Kaspersky confirmed that DarkHotel APT was exploiting this vulnerability:

Based on the above tweet, Google Project Zero maintains a google doc referencing 0-day in-the-wild exploitation where they officially attributed CVE-2019–1367 to DarkHotel APT.

  • 20 January 2020: Samples from DarkHotel APT exploits were uploaded to VirusTotal and flagged as CVE-2019–1367 by most of the security vendors:

  • 6 February 2020: Google Project Zero did a Variant Analysis of CVE-2019–1367 which resulted in CVE-2019–1429 which a variant of the same bug class: