Microsoft announced that it’s developing a fix for a zero-day vulnerability in Internet Explorer that was exploited by a hacking group named DarkHotel. The vulnerability, tracked as CVE-2020-0674 and defined as a memory corruption issue, impacts the scripting engine in Internet Explorer version 9, 10, and 11 when running on Windows 7, 8.1, 10, Server 2008, Server 2012, Server 2016, and Server 2019.
Microsoft stated that attackers can exploit the flaw to launch remote code execution on the targeted device by tricking a user into clicking a malicious website or a link sent via email. The tech giant released a security advisory, named ADV200001, which includes mitigations to apply in order to protect vulnerable systems from threats.
In its advisory, Microsoft explained, “A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs, view, change, delete data or create new accounts with full user rights.”
Recently, Microsoft seized 50 domains operated by North Korean hacking group called Thallium. The tech giant stated that attackers used these domains to launch cyberattacks on different locations including theU.S., Japan, and South Korea.
The news came to light when Microsoft filed a lawsuit against Thallium in the U.S. District Court for the Eastern District of Virginia. The U.S. authorities ordered Microsoft to take control of the 50 domains that Thallium was using to perform their operations, as a result, these sites can no longer be used to execute any attack.
Microsoft said its Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Thallium for months and have been gathering information on its operations. These domains were used to send out phishing emails containing a malicious link, a method known as spear-phishing that typically tricks the victims to click and enter their details in a self-hosted page, which are then stored in a hacker database.