7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper.
Cybersecurity firm Volexity attributed the watering hole attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the publication in question, is said to have hosted the malicious code from at least late March 2021 until early June 2021.
The โclever disguise of exploit code amongst legitimate codeโ and the use of custom malware enables the attackers to avoid detection, Volexity researchers said.
The attacks involved tampering with the jQuery JavaScript libraries hosted on the website to serve additional obfuscated JavaScript code from a remote URL, using it to leverage exploits for two Internet Explorer flaws that were patched by Microsoft in August 2020 and March 2021. Successful exploitation resulted in the deployment of a Cobalt Strike stager and novel backdoor called BLUELIGHT.
Itโs worth noting that both the flaws have been actively exploited in the wild, with the latter put to use by North Korean hackers to compromise security researchers working on vulnerability research and development in a campaign that came to light earlier this January.
In a separate set of attacks disclosed last month, an unidentified threat actor was found exploiting the same flaw to deliver a fully-featured VBA-based remote access trojan (RAT) on compromised Windows systems.
BLUELIGHT is used as a secondary payload following the successful delivery of Cobalt Strike, functioning as a full-featured remote access tool that provides complete access to a compromised system.
In addition to gathering system metadata and information about installed antivirus products, the malware is capable of executing shellcode, harvesting cookies and passwords from Internet Explorer, Microsoft Edge, and Google Chrome browsers, collecting files and downloading arbitrary executables, the results of which are exfiltrated to a remote server.
โWhile SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers,โ the researchers noted. โThe use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience.โ
Found this article interesting? Follow THN on Facebook, Twitter ๏ and LinkedIn to read more exclusive content we post.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C