CVE-2019-13720 flaw in Chrome exploited in Operation WizardOpium attacks

One of the two flaws in Chrome addressed by Google, CVE-2019-13720, was exploited in a campaign that experts attribute to Korea-linked threat actors.

This week Google released security updates to address two high severity vulnerabilities in the Chrome browser, one of which is a zero-day flaw actively exploited in attacks in the wild to hijack computers.

The vulnerabilities, tracked as CVE-2019-13720 and CVE-2019-13721, reside respectively in Chrome’s audio component and in the PDFium library.

“[$7500][1013868] High CVE-2019-13721: Use-after-free in PDFium. Reported by banananapenguin on 2019-10-12[$TBD][1019226] High CVE-2019-13720: Use-after-free in audio. Reported by Anton Ivanov and Alexey Kulaev at Kaspersky Labs on 2019-10-29″ reads the advisory published by Google. “Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild.”

The zero-day flaw in the audio component, CVE-2019-13720, was reported by Kaspersky researchers Anton Ivanov and Alexey Kulaev. According to the security duo, the high-severity use-after-free flaw has been found exploited in the wild, though the experts did not attribute the attacks to a specific threat actor.

Now Kaspersky provided further details about the attacks that exploited the CVE-2019-13720 discovered by its experts and reported to Google on October 29.

According to Kaspersky, the CVE-2019-13720 has been exploited by threat actors as part of a campaign tracked as Operation WizardOpium.

The researchers pointed out that the campaign has very weak code similarities with past Lazarus‘s operations, but the evidence they collected doesn’t allow a certain attribution.

“We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag.” reads a post published by Kaspersky.

At least one of the websites targeted in Operation WizardOpium is in line with earlier attacks of the DarkHotel operation.

The first Darkhotel espionage campaign was spotted by experts at Kaspersky Lab in late 2014, according to the researchers the APT group has been around for nearly a decade while targeting selected corporate executives traveling abroad.

According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

The attackers carried out a watering-hole attack on a Korean-language news portal, they planted a malicious JavaScript code on the main page, which in turn, loads a profiling script from a remote site.

The script checks visitors’ browser and operating system and determine if it is possible to trigger the Chrome zero-day.

“The script then loads another script named .charlie.XXXXXXXX.js. This JavaScript checks if the victim’s system can be infected by performing a comparison with the browser’s user agent, which should run on a 64-bit version of Windows and not be a WOW64 process; it also tries to get the browser’s name and version.” continues the analysis. “The vulnerability tries to exploit the bug in Google Chrome browser and the script checks if the version is greater or equal to 65 (current Chrome version is 78):”

Once the exploit code is successfully triggered, the attackers deliver an encrypted payload disguised as a .jpg file, then it is decrypted and an executable file is dropped and run.

Researchers at Kaspersky only revealed that the final payload gains persistence by using the Windows Task Scheduler, it has a modular structure and the main module is able to download other modules from the C2 server.

The analysis published by Kaspersky includes additional details about the attack, including the Indicators of Compromise (IoCs).

This year Google also addressed another zero-day flaw in the Chrome browser tracked as CVE-2019-5786 that was actively exploited in attacks in the wild.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase