Chrome Zero-Day Vulnerability Goes Unpatched for a Month

Security researchers uncovered two separate malicious campaigns that were exploiting a zero-day vulnerability in the Chrome browser. The bugs were actively exploited in the wild for about a month before the patch arrived.

Two groups, two attacks

Google's own Threat Analysis Group spotted the vulnerability back in early February and Google released a patch for it just four days later, along with the bug report. The vulnerability was tracked under the designator CVE-2022-0609 and comprised a use-after-free issue with the browser component responsible for animation. The vulnerability was already actively exploited in the wild.

Researchers tracked down the malicious activity related to the bug with a couple of threat actors named Operation Dream Job and Operation AppleJesus. Both of those are believed to be North Korean threat actors. The attacks carried out by the hackers were focused primarily on US entities from a number of sectors, ranging from crypto to media outlets. However, researchers don't rule out the possibility that the attacks had additional targets outside of the US.

Same exploit kit, different methods

Even though the two threat actors used one and the same exploit kit in their attacks, they used different techniques and targeted different entities.

The attacks used fake job offer emails with malicious links in them, spoofing high-profile, highly desirable employers. Once the victim clicks on the malicious link in an effort to see the full fake job offer, the browser would load an invisible iframe, which in turn deploys the exploit kit.

AppleJesus focused on different targets, primarily working in crypto and finance. The exploit kit used in the attack was the same.

The iframes were hosted on pages that were either operated and owned by the threat actors, or on pages of websites that the hackers had previously compromised successfully and could host the malicious elements on them.

The issue has been patched, but that still leaves the issue with the span of several weeks that the threat actors could have leveraged the vulnerability among systems running the unpatched versions of Chrome.