The team at Enki have discovered a vulnerability in Internet Explorer that has been used in campaigns targeting security researchers the browsers render process to execute malicious code and exfiltrate data from the victim machine. It should be noted that this vulnerability stops in the low integrity sandbox and in order to gain persistence on the machine another exploit must be chained to this attack. What is striking about this initial attack vector is the ease at which it executes. If unsuccessful with the more obvious approach where a user would need to check a popup box approving activity, the exploit can be deployed instantly from a malicious ad
d hosted on a benign website. Phishing email ’s redirect unsuspecting users are all too common and successful.
Actively exploited zero day vulnerabilities are regularly utilized attack vectors for APT groups and Ransomware groups. Vulnerabilities in web browsers are especially troublesome because they may require nothing more than the targeted person to click a link and visit a web page to trigger an exploit. At the time of writing, Microsoft has yet to address this vulnerability. It is imperative to have a data backup policy in place and contingency options available. Whitelisting application and filtering web traffic to block sites with low reputation scores will strengthen defense along with network segmentation to mitigate lateral movement. The strongest solution is to operate a 24/7 Security Operations Center (SOC), including threat hunting and active intelligence seeking out threats and abnormal user activity that could signal an intrusion.
https://enki.co.kr/blog/2021/02/04/ie_0day.html# (Korean – English translation available on site)
https://insights.sei.cmu.edu/sei_blog/2020/10/network-segmentation-concepts-and-practices.html (Network Segmentation reference.)