Show vulnerabilities with patch / with exploit
3 April 2020

DarkHotel hackers exploited flaws in Firefox and IE in attacks on China, Japan


DarkHotel hackers exploited flaws in Firefox and IE in attacks on China, Japan

An APT group (Advanced Persistent Threat) has been exploiting vulnerabilities in Mozilla Firefox and Internet Explorer browsers as part of the campaign aimed at China and Japan.

The flaws in question are CVE-2019-17026 (Firefox) and CVE-2020-0674 (IE), which have been patched by Mozilla and Microsoft in early January and in February this year accordingly. Both vulnerabilities were exploited in attacks prior to the release of the patches.

The CVE-2019-17026 flaw is an “IonMonkey type confusion with StoreElementHole and FallibleStoreElement,” where IonMonkey is the Just-in-Time (JIT) compiler for Firefox’s SpiderMonkey JavaScript engine.

CVE-2020-0674 is a remote code execution vulnerability, which could be exploited by tricking a user into opening a specially crafted webpage.

According to Chinese cybersecurity firm Qihoo 360 who reported the attacks, the hackers exploited CVE-2019-17026 in Firefox along with the CVE-2020-0674 vulnerability.

The experts have attributed the campaign to the threat actor known as DarkHotel, which the company tracks as APT-C-06. Qihoo says the group operates from East Asia and refers to it as the “Peninsula APT.”

Earlier this week Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) has published a report detailing attacks exploiting both vulnerabilities and targeting Japanese entities.

According to the report, targeted users are directed to a malicious website set up to deliver exploits depending on the user’s browser. If the attack is successful, a proxy automatic configuration file (PAC file) is downloaded onto the victim’s machine. The PAC files are used to redirect requests made to specified websites through an external server under the control of the attackers.

The final payload used in the observed attacks is a Gh0st RAT, a popular tool used by attackers to control infected endpoints, originally attributed to threat actor groups in China. After the malware’s source code was made public several years ago it was used by multiple groups.

JPCERT said that the malware only gets executed on 64-bit Windows 7 and Windows 8.1 machines, but it does not appear to be compatible with Windows 10.

Back to the list

Latest Posts

Vulnerability summary for the week: May 29, 2020

Vulnerability summary for the week: May 29, 2020

Weekly vulnerability digest.
29 May 2020
Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

NTT Communications said hackers gained access to its internal network and stole information on 621 customers.
29 May 2020
Sandworm hacking group exploiting Exim flaw since at least 2019

Sandworm hacking group exploiting Exim flaw since at least 2019

The NSA is urging system administrators to update Exim by installing version 4.93 or newer to mitigate the vulnerability.
29 May 2020