Chrome 0-day Exploit CVE-2019-13720 Used in Operation WizardOpium


Chrome 0-day Exploit CVE-2019-13720 Used in Operation WizardOpium (Nov 1, 2019)

Security researchers from Kaspersky have discovered a new vulnerability in Google’s Chrome Browser, registered as “CVE-2019-13720”. Attacks using this zero-day are being referred to as “Operation WizardOpium”, and there is yet to be any clear evidence to link the attacks with known threat actors. The zero-day was exploited by placing malicious JavaScript code on a Korean-language news portal. The script loads a profiling script which checks if the victim is running Google Chrome version 65 or higher. If the Chrome version condition is met, then the script will make requests to the attacker controlled Command and Control (C2) server. These requests download encrypted chunks of exploit code. An image file will be sent as well with an embedded key to decrypt the final payload. Once the chunks are concatenated and payload decrypted, this will give the attacker a new piece of JavaScript code to exploit the browser. The focus of the exploit code is to undergo several operations which will allocate/free memory space which will give actors read/write capabilities. This is used to create an object that can be used to perform code execution for a shellcode payload.

Recommendation: Once the zero-day was reported by Kaspersky, Google released a patch for the exploit in Chrome version 78.0.3904.87. It is advised that all companies and users keep up-to-date with the updates of all applications in use. Actors will tend to exploit these vulnerabilities even after a patch is released since many do not update their applications and details of vulnerability being reported on in open sources.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.