<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=464741397436242&amp;ev=PageView&amp;noscript=1">

    North Korean Hackers Exploit Chrome Zero-Day Weeks Before Patch

    North Korean state hackers have exploited a zero-day, remote code execution vulnerability in Google Chrome web browser for more than a month before a patch became available, in attacks targeting news media, IT companies, cryptocurrency, and fintech organizations.

    Google’s Threat Analysis Group (TAG) attributed two campaigns exploiting the recently patched
    CVE-2022-0609 (described only as “use after free in Animation” at the moment) to two separate attacker groups backed by the North Korean government.

    In a report shared in advance with BleepingComputer, Google TAG details the tactics, techniques, and procedures (TTPs) related to these activities, which targeted more than 330 individuals. The victims were targeted via emails, fake websites, or compromised legitimate websites that would ultimately activate the exploit kit for CVE-2022-0609.

    New call-to-actionAnalyst comments:
    One of the two North Korean threat subgroups focused on more than “250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors.” Google TAG notes that in the campaign it discovered the targets received phishing emails with fake job opportunities from recruiters at Disney, Google and Oracle. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter. Upon clicking on the links, victims would be served with a hidden iframe that triggered the zero-day exploit.

    The second group, attributed to Operation AppleJeus (Lazarus Group), used the same exploit to target more than 85 users in cryptocurrency and fintech industries. According to Google TAG, the group was able to compromise at least two legitimate fintech company websites, further using the domains to host hidden iframes serving the exploit kit to victims.

    "The researchers say that the initial activity of the kit was to fingerprint the target system by collecting details like user-agent and screen resolution. If this data matched a set of specific requirements (unknown at this time), the client received a Chrome remote code execution (RCE) and Javascript code that requested a sandbox escape, to move out the confinements of the web browser, onto the system" (
    Bleeping Computer, 2022).

    It has been quite some time since a patch was released for the Chrome zero-day vulnerability. Anyone who has yet to update their Chrome browser to the latest version should do so as soon as possible. This can be accomplished by going into the Chrome menu > Help > About Google Chrome