Tuesday, April 22, 2025
HomeExploitHackers Used Windows 0-day Exploit CVE-2019-1458 in Operation WizardOpium Cyber Attacks

Hackers Used Windows 0-day Exploit CVE-2019-1458 in Operation WizardOpium Cyber Attacks

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a newly patched Windows Zero-day vulnerability exploit already used in Operation WizardOpium attacks along with Chrome Zero-day exploit in last month.

GBHackers reported Operation WizardOpium attacks in November, and the attack was initially observed by Kaspersky researchers who have already uncovered a Google Chrome 0-day exploit that was used in the part of the attack.

Further detailed investigation revealed that the exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine and also escape the Chrome process sandbox.

- Advertisement - Google News

Researchers observed the 2 different stages in EoP exploit, one is a tiny PE loader and another one is an actual exploit. Kaspersky products detect this exploit with the verdict PDM:Exploit.Win32.Generic.

EoP exploit indicates that the vulnerability it used belongs to the win32k.sys driver and that the EoP exploit was the 0-day exploit, and it was confirmed by the researchers when they have tested with an exploit against the latest (patched) versions of Windows 7 and even on a few builds of Windows 10.

Exploit Chrome and Bypass Sandbox Restriction

To bypass the Chrome sandbox restriction, attackers using vulnerable Javascript to achieving a read/write primitive in the renderer process of the browser to corrupts some pointers in memory to redirect code execution to the PE loader using PE exploit.

Later PE loader tries to locate the embedded DLL file in the Exploit, and continue the same process such as parsing PE headers, handling imports/exports and more.

Later the code execution process will be redirected to the entry point of the DLL ( DllEntryPoint) function.

” The PE code then creates a new thread, which is an entry point for the exploit itself, and the main thread simply waits until it stops. “

EoP exploit used in the attack (Credits: Kaspersky)

According to Kaspersky research ” The vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That’s why the exploit’s code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation.”

Details about how Exploit gets an arbitrary kernel read/write primitive is explained here. Once it obtained, then used to perform privilege escalation on the target system.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Faster Vulnerability Patching Reduces Risk and Lowers Cyber Risk Index

Trend Micro's Cyber Risk Exposure Management (CREM) solution has highlighted the critical role that...

Malicious npm Packages Target Linux Developers with SSH Backdoor Attacks

In a sophisticated onslaught targeting the open-source ecosystem, reports have emerged detailing several malicious...

Samsung One UI Vulnerability Leaks Sensitive Data in Plain Text With No Expiration!

A glaring vulnerability has come to light within Samsung's One UI interface: the clipboard...

New Rust-Based Botnet Hijacks Routers to Inject Remote Commands

A new malware named "RustoBot" has been discovered exploiting vulnerabilities in various router models...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Critical Flaw in Windows Update Stack Enables Code Execution and Privilege Escalation

A newly discovered vulnerability in the Windows Update Stack, tracked as CVE-2025-21204, has sent...

Hackers Bypassed Windows Defender Policies Using WinDbg Preview via Microsoft Store

A newly documented technique reveals how attackers can exploit the WinDbg Preview debugger to...

RDP and MS Office Vulnerabilities Abused by Kimusky in Targeted Intrusions

The AhnLab SEcurity intelligence Center (ASEC) has released a detailed analysis of a sophisticated...