A couple of North Korean threat groups abused a zero-day, remote code execution vulnerability in the Google Chrome web browser. The flaw was exploited for over a month before the patch was made available.
About the attack campaigns
Google’s Threat Analysis Group (TAG) discovered and linked two campaigns abusing the CVE-2022-0609 bug in Google Chrome to two separate groups supported by North Korea.
- One of the two groups has been observed focusing on more than 250 individuals working for 10 different domain registrars, news media, software vendors, and web hosting providers.
- The targets received phishing emails with fake job opportunities from multiple recruiters. Further, the emails contained spoofed links serving hidden iframes to trigger an exploit.
- The second campaign used the same exploit kit for CVE-2022-0609, targeting 85 users in cryptocurrency and fintech firms, and it was linked with the same group behind Operation AppleJeus.
The abuse of zero-day flaw
The victims were targeted using emails, fake websites, or compromised legitimate websites with exploit kits for CVE-2022-0609, which is a use-after-free bug in Animation in Google Chrome.
- Researchers discovered the campaigns on February 10. The vulnerability was fixed four days later in a Google Chrome update. However, the flaw was already exploited via an exploit kit on January 4, 2022.
- Analyzing the exploit revealed that the attacker had added various obfuscation features, such as the use of one-time-click policies for emails, serving iframes at specific times, and the use of AES encryption at each stage of infection.
Additionally, the attackers seemed interested in other web browsers such as Safari on macOS and Firefox too.
Concluding notes
North Korea-supported attackers are actively targeting multiple industries globally with U.S. organizations being their prime target. Attackers exploiting a zero-day flaw before a patch release leave security teams in a tight spot. Organizations are recommended to adopt proactive security measures and implement multiple layers of security to tackle such threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/37ce_shutterstock_639700315.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_343998182.jpg)
