Security News > 2022 > March > Chrome Zero-Day from North Korea
North Korean hackers have been exploiting a zero-day in Chrome.
The flaw, tracked as CVE-2022-0609, was exploited by two separate North Korean hacking groups.
The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users.
If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript.
We unfortunately were unable to recover any of the stages that followed the initial RCE. Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages.
The exploit kit would AES encrypt each stage, including the clients' responses with a session-specific key.
News URL
https://www.schneier.com/blog/archives/2022/03/chrome-zero-day-from-north-korea.html
Related news
- Bybit declares war on North Korea's Lazarus crime-ring to regain $1.5B stolen from wallet (source)
- FBI officially fingers North Korea for $1.5B Bybit crypto-burglary (source)
- $1.5B Bybit Hack is Linked to North Korea, FBI Says, in Potentially the Largest Crypto Heist Ever (source)
- China, Russia, Iran, and North Korea Intelligence Sharing (source)
- North Korea’s ScarCruft Deploys KoSpy Malware, Spying on Android Users via Fake Utility Apps (source)
- U.S. Treasury Lifts Tornado Cash Sanctions Amid North Korea Money Laundering Probe (source)
- Google fixes Chrome zero-day exploited in espionage campaign (source)
- Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783) (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-05 | CVE-2022-0609 | Use After Free vulnerability in Google Chrome Use after free in Animation in Google Chrome prior to 98.0.4758.102 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |