Security News > 2021 > August > InkySquid State Actor Exploiting Known IE Bugs
The InkySquid advanced persistent threat group, which researchers have linked to the North Korean government, was caught launching watering hole attacks against a South Korean newspaper using known Internet Explorer vulnerabilities.
"As with the initial redirect, the attacker chose to bury their malicious code amongst legitimate code. In this case, the attacker used the 'bPopUp' JavaScript library alongside their own code."
The code, which the attackers camouflage around real content, is consistent with Internet Explorer bug CVE-2020-1380, the report said.
Another similar attack from the InkySquid group leveraged CVE-2021-26411 to attack Internet Explorer as well as legacy versions of Microsoft Edge, according to Volexity.
The group has also developed a new malware family that the report calls "Bluelight" - a name that was chosen because the word "Bluelight" was used in the malware's program database code.
While leveraging known IE bugs won't work on a wide swath of targets, once a system is infected detection is difficult thanks to the use of legit code as cover.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-03-11 | CVE-2021-26411 | Use After Free vulnerability in Microsoft Edge and Internet Explorer Internet Explorer Memory Corruption Vulnerability | 8.8 |
| 2020-08-17 | CVE-2020-1380 | Out-of-bounds Write vulnerability in Microsoft Internet Explorer 11 A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. | 7.8 |