Signals relating to DarkHotel operator tradecraft have been flagging our CTI engine since early November 2019. Over the past three weeks, we have seen PoC exploit code become publicly available that has directly copied suspected DarkHotel activity (WizardOpium Attack Chain). It wasn't until I received an email from a colleague early this morning, asking if I had insight into the attack on The World Health Organization (WHO), that I began to correlate these signals. The resulting analysis may indicate that adversaries (not necessarily DarkHotel) may adopt and utilize DarkHotel tradecraft on unpatched systems. Systems that have slightly out-of-date patches due to lack of automation or specific environmental requirements, may be at significant risk of being breached by former, chained, zero-day exploits that were presumably used by DarkHotel, in the WizardOpium campaign. Specifically, Google Chrome versions below 78.0.3904.70 and various unpatched versions of Windows are affected – both Personal and Server operating systems. Furthermore, there is a significant amount of how-to documentation, commentary and publicly available exploit code to drastically reduce the barrier-to-entry, for this level of sophisticated attack. It has been our experience thus far, that when former, advanced operator, zero-day code becomes publicly available, an increase in system breach occurs – regardless of community security awareness or patch availability. Given the recent attack on WHO, the suspected attribution to DarkHotel and former DarkHotel zero-day signals trending across our sensors, we feel that the WizardOpium attack chain may be leveraged against unpatched systems in the coming future, by other malicious actors, or actors looking to fly a false flag operation. Lastly, this wealth of knowledge may be used as a jump-off point and empower the next generation of zero-day exploit vectors.
WizardOpium Attack Chain
"The WizardOpium attack chained together the Chrome zero-day (CVE-2019-13720) as well as a Windows zero-day privilege elevation vulnerability to install the malware. 'During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox,' Kaspersky explains.
The Windows zero-day is tracked as CVE-2019-1458 and it was used to gain elevated privileges on Windows machines and escape the Chrome sandbox to install the malware payload. Both of these vulnerabilities have now been patched and this exploit chain is broken. "
Additionally, the WizardOpium attack chain was initially delivered through drive-by compromise. “A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring application access tokens. ”
Technical details and PoC source code can be found referenced by number, below. - “WizardOpium Attack Chain Timeline”.
WizardOpium Attack Chain Timeline (CVE-2019-13720 & CVE-2019-1458)