North Korean state hackers have exploited a zero-day, remote code execution vulnerability in Google Chrome web browser for more than a month before a patch became available, in attacks targeting news media, IT companies, cryptocurrency, and fintech organizations.
Google’s Threat Analysis Group (TAG) attributed two campaigns exploiting the recently patched CVE-2022-0609 (described only as “use after free in Animation” at the moment) to two separate attacker groups backed by the North Korean government.
In a report shared in advance with BleepingComputer, Google TAG details the tactics, techniques, and procedures (TTPs) related to these activities, which targeted more than 330 individuals. The victims were targeted via emails, fake websites, or compromised legitimate websites that would ultimately activate the exploit kit for CVE-2022-0609.
One of the two North Korean threat subgroups focused on more than “250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors.” Google TAG notes that in the campaign it discovered the targets received phishing emails with fake job opportunities from recruiters at Disney, Google and Oracle. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter. Upon clicking on the links, victims would be served with a hidden iframe that triggered the zero-day exploit.
The second group, attributed to Operation AppleJeus (Lazarus Group), used the same exploit to target more than 85 users in cryptocurrency and fintech industries. According to Google TAG, the group was able to compromise at least two legitimate fintech company websites, further using the domains to host hidden iframes serving the exploit kit to victims.
It has been quite some time since a patch was released for the Chrome zero-day vulnerability. Anyone who has yet to update their Chrome browser to the latest version should do so as soon as possible. This can be accomplished by going into the Chrome menu > Help > About Google Chrome