Both Microsoft and Google released software updates yesterday to fix some of the security vulnerabilities, including a zero-day vulnerability that has been exploited in the wild. These zero-day vulnerabilities were discovered by Kaspersky but have long been exploited by advanced hacking groups, which allow hackers to install spyware directly on computers. Kaspersky pointed out that it was impossible to attribute an attacker to any particular attacker, but that some of the code used by the attacker was similar to lazarus group.
Use vulnerabilities to attack Korean news sites to load malware:
Kaspersky investigation found that the initial attacker used a vulnerability in a Korean news site to embed a malicious script, which was loaded when the user browsed the site.
The malicious script contained code specifically for Google Chrome, and the hacker exploited a zero-day vulnerability that Google had not previously discovered.
When a malicious script is loaded, win32K security vulnerabilities are called to download and install malware that automatically connects to the remote server to obtain instructions.
This means that the main user browsing the Korean site will be infected with malware, during which time the user does not need to perform any interactive actions to complete the attack.
Potential attackers could be Lazarus:
Kaspersky said after tracing and analyzing that there was no definitive evidence linking the attack to any known advanced persistent threat group.
However, the code used by the attackers is very similar to the Lazarus Group, suggesting that the potential attack group may be the lazarus group, which is not known.
Lazarus has carried out a number of well-known cyberattacks, including wannaCry ransomware, bank theft in Bangladesh and bank theft in the Far East.
The group has also been confirmed to be a North Korean-funded state-sponsored hacking group, which was carried by Korean news sites, which is mainly targeted at South Korean users.
So it is common sense to assume that the attack is likely to be carried out by lazarus groups, though Kaspersky says there is not enough definitive evidence for the time being.
Kaspersky believes that the attack code is very similar to Lazarus, and that other attackers are trying to turn their attention to Lazarus.
Microsoft has fixed the vulnerability in a routine update:
In fact, the security breach not only affected Windows 10, according to Microsoft officials, all supported versions of Windows, including the server version, were affected.
Security vulnerabilities remain the most recently popular Win32K component, which has been identified as a high-risk zero-day vulnerability since the end of last year.
Microsoft says the vulnerability allows an attacker to run arbitrary code in kernel mode, including installing software, deleting data, or adding user accounts with the same permissions.
Affected versions include Windows 7 SP1 to all versions of Windows 10, Windows Server 2008 R2 to Server 2019, and so on.
Of course, previous versions of Windows 7 SP1, such as XP and versions that Windows 10 has stopped supporting, such as versions before 1803, will also be affected.
However, these versions that have been stopped and supported are not updated with security updates to fix the vulnerability, so it is recommended that users upgrade the supported version as early as possible.
Google has also fixed the zero-day vulnerability:
It is rare for an attacker to exploit both the Windows operating system and Google Chrome, but it has now been blocked.
Google’s browser development team has fixed the vulnerability in time after receiving Kaspersky’s report, and users can automatically upgrade to the latest version as long as they turn on automatic updates.
At present, Google Chrome has deployed servers in China to provide updates, users can also click here to visit the Chinese official website to download the Google Chrome installation package.