South Korean security firm ENKI says it has indentified a still unpatched and previously undisclosed Internet Explorer 0day that they say has been used in a string of recent attacks on security researchers.
ENKI researcher Sae-han Park told The Stack that they had tried to disclose the bug to Microsoft, sending through a proof-of-concept (POC) but had no response. Park said the 0day is in the latest version of IE, as tested on Windows 10, Windows 8.1.
Park told us that they had tried to disclose via https://msrc.microsoft.com/report/abuse and by email, with no response. We have also contacted Microsoft for comment. ENKI says it is holding off releasing the POC until the bug is patched, although it is being exploited in the wild in attacks on security researchers.
The claim comes after Google's Threat Analysis Group (TAG) revealed that security professionals were being targeted by a social engineering campaign that uses dedicated research blogs and a network of Twitter profiles to interact with potential targets, luring them in to collaborating on malware-laced research projects. ENKI was also targeted in the campaign.
Several security researchers had been compromised after visiting a website set up by the attackers, but the precise mechanism behind the exploit was not clear to TAG at the time.
"At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have" Tag said Jan 25.
See also: This AWS API bug lets you check permissions without generating logs in CloudTrail: It’s not getting fixed.
ENKI says it is likely to have involved an Internet Explorer zero day. In a Korean language blog published January 4, the company's researchers said that attackers had requested participation in a project ostensibly involving the exploit of MacOS [nb: the whole campaign was built around fake collaboration on 0days].
They then shared a file "designed to enable the JavaScript function and read the contents of [an] article completely when the button action is activated." [Sic. Translated].
"This is presumed to have led the target to use the Internet Explorer browser. If script execution is allowed, the additional payload is downloaded twice from the remote site and the secondary payload contains the attack code that attacks the vulnerability of the Internet Explorer browser", ENKI said. [As per Google Translate].
Further details in this ENKI blog.
TAG has attributed the campaign to North Korean actors.
More to follow.