Operation WizardOpium

Description

(Kaspersky) Kaspersky Exploit Prevention is a component part of Kaspersky products that has successfully detected a number of zero-day attacks in the past. Recently, it caught a new unknown exploit for Google’s Chrome browser. We promptly reported this to the Google Chrome security team. After reviewing of the PoC we provided, Google confirmed there was a zero-day vulnerability and assigned it CVE-2019-13720.

We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus Group, Hidden Cobra, Labyrinth Chollima attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.

Names

Name	Name-Giver
Operation WizardOpium	Kaspersky

Country

• North Korea

Motivation

• Information theft and espionage

First Seen

2019

Observed Countries

• South Korea

Information

• https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/
• https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/
• https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/

Other Information

Uuid

d25e7c98-dbe9-45c7-8052-1108add0a929

Last Card Change

2020-07-02