Alert: Update Chrome Based Browsers
Sunday, March 27, 2022
North Korean state hackers have exploited a zero-day, remote code execution vulnerability in Google Chrome web browser for more than a month before a patch became available, in attacks targeting news media, IT companies, cryptocurrency, and fintech organizations.
Google’s Threat Analysis Group (TAG) attributed two campaigns exploiting the recently patched CVE-2022-0609 (described only as “use after free in Animation” at the moment) to two separate attacker groups backed by the North Korean government.
Exploit actively deployed since early January
In a report shared in advance with BleepingComputer, Google TAG details the tactics, techniques, and procedures (TTPs) related to these activities, which targeted more than 330 individuals.
The victims were targeted via emails, fake websites, or compromised legitimate websites that would ultimately activate the exploit kit for CVE-2022-0609.
Google TAG discovered the campaigns on February 10 and addressed the vulnerability in an emergency Google Chrome update four days later.
However, the researchers say that the earliest sign of the zero-day vulnerability being actively exploited were found on January 4, 2022.
The connection with the North Korean hackers, also referred to as the Lazarus Group, is given by one of the campaigns, which has direct infrastructure overlap with another activity attributed to the same threat actor last year: targeting security researchers using fake Twitter and LinkedIn social media accounts.