Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chrome Zero-Day Vulnerability Exploited in Korea-Linked Attacks

Google on Thursday patched a Chrome zero-day vulnerability that has been exploited to deliver malware in a campaign that shares similarities with previous Korea-linked attacks.

Google on Thursday patched a Chrome zero-day vulnerability that has been exploited to deliver malware in a campaign that shares similarities with previous Korea-linked attacks.

Chrome 78.0.3904.87 for Windows, macOS and Linux patches two vulnerabilities. One of them is CVE-2019-13720, which Google has described as a high-severity use-after-free bug in the browser’s audio component. The tech giant says it’s aware of reports that the security flaw has been exploited in the wild.

The issue was reported to Google on October 29 by researchers from Kaspersky and it was patched quickly. The company says the update containing the fix should reach users in the coming days or weeks.

According to Kaspersky, the zero-day has been exploited in a campaign dubbed Operation WizardOpium. The company says it has not found any evidence that would allow it to confidently link the operation to a known threat actor.

However, some “very weak code similarities” suggest a possible connection to the Lazarus Group, a threat actor linked to North Korea. On the other hand, researchers believe these code similarities could be false flags meant to make attribution more difficult.

Kaspersky says one of the websites targeted by the hackers reminds of earlier attacks attributed to DarkHotel, a threat group that has been known to target entities with an interest in North Korea and which some believe may be sponsored by South Korea.

“The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks,” Kaspersky said in a blog post.

According to the cybersecurity firm, the attackers compromised a Korean-language news website as part of a watering hole attack and abused it to deliver malware via the Chrome zero-day. The compromised website loads scripts designed to check visitors’ browser and operating system to determine if the Chrome vulnerability can be exploited for arbitrary code execution.

Advertisement. Scroll to continue reading.

If the exploit is successful, an encrypted payload disguised as a harmless .jpg file is delivered to the victim. The payload is then decrypted and an executable file is dropped and run.

Kaspersky has only shared limited information about the malware, but revealed that it leverages the Windows Task Scheduler for persistence and its main module is designed to download other modules from a command and control (C&C) server.

In addition to the zero-day, the latest Chrome update fixes CVE-2019-13721, a high-severity use-after-free issue in the PDFium component. This vulnerability was reported to Google by a researcher who uses the online moniker banananapenguin on October 12 and it earned the hacker a $7,500 bounty.

CVE-2019-13720 is the second Chrome zero-day patched by Google this year. The first was CVE-2019-5786, which malicious actors exploited alongside a Windows zero-day.

Related: Chrome Zero-Day Exploited to Harvest User Data via PDF Files

Related: Google Discloses Actively Exploited Windows Vulnerability

Related: Zero-Day Used in the Wild Impacts Pixel 2, Other Android Phones

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...