U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hackers exploited IE and Firefox flaws in attacks on entities in China, Japan

An APT group is exploiting the flaws patched earlier this year in Firefox and Internet Explorer in attacks aimed at China and Japan. An APT group is exploiting two vulnerabilities patched earlier this year in Firefox and Internet Explorer in attacks aimed at China and Japan. The first issue, tracked as CVE-2019-17026, affects the Firefox […]

IE Firefox attacks

An APT group is exploiting the flaws patched earlier this year in Firefox and Internet Explorer in attacks aimed at China and Japan.

An APT group is exploiting two vulnerabilities patched earlier this year in Firefox and Internet Explorer in attacks aimed at China and Japan.

The first issue, tracked as CVE-2019-17026, affects the Firefox browser and was addressed in January.

The CVE-2019-17026 flaw is an “IonMonkey type confusion with StoreElementHole and FallibleStoreElement,” where IonMonkey is the Just-in-Time (JIT) compiler for Firefox’s SpiderMonkey JavaScript engine.

In January, Mozilla confirmed that it’s aware of targeted attacks exploiting the CVE-2019-17026 zero-day, but it did not disclose details of the attacks.

The vulnerability was reported to Mozilla by security experts from the Chinese firm Qihoo 360.

The experts reported that the CVE-2019-17026 zero-day had been exploited by attackers along with an Internet Explorer zero-day, Qihoo 360 experts initially disclosed the discovery via Twitter, but later deleted the message.

The second flaw tracked as CVE-2020-0674 is an RCE affecting the Internet Explorer, Microsoft addressed it in February,

The CVE-2020-0674 flaw could be triggered by tricking victims into visiting a website hosting a specially crafted content designed to exploit the issue through Internet Explorer.

According to the cybersecurity firm Qihoo 360, threat actors exploited both flaws before they have been addressed by Microsoft.

The experts pointed out that the two vulnerabilities were exploited as part of a campaign aimed at Chinese government agencies and attributed to the DarkHotel APT, aka APT-C-06.

Qihoo experts also tracked the group as the “Peninsula APT,” likely because it refers to an APT group operating from Korea.

Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) published a report containing technical details on attacks exploiting both flaws and aimed at Japanese entities

“When you are directed to the attack site with IE or Firefox, the attack code corresponding to the browser you accessed is returned.” states the JPCERT.

“After that, if the attack succeeds, the attack code will be downloaded again as a proxy automatic configuration file (PAC file). The downloaded attack code is executed as a PAC file, and the malware is downloaded and executed.”

IE Firefox attacks

The exploitation of the flaw allows delivering a proxy auto-configuration (PAC) file to the system. The PAC files are used to redirect requests made to specified websites through an external server under the control of the attackers.

The final payload used in the attack is a variant of the Gh0st RAT that was employed in multiple attacks carried out by China-linked APT groups. Experts pointed out that the source code of the RAT was leaked many years ago, and many out threat actors started using it.

“As a result of verification, it was confirmed that the attack on IE confirmed this time will be performed until execution of malware on Window 7 x64 (December 2019 release patch applied) and Windows 8.1 x64 (January 2020 release patch applied), No malware infection occurred in the environment of Windows 10 (with the January 2020 release patch applied).” concluded the report. “It is possible that the code was not compatible with Windows 10 in this attack.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Firefox, IE)

[adrotate banner=”5″]

[adrotate banner=”13″]