Google has released an update for Chrome that includes a fix for a serious vulnerability that is under active exploitation.
The vulnerability (CVE-2022-1096) is a type confusion bug in the V8 JavaScript rendering engine in the browser, and Google on Friday pushed out an urgent update for Chrome on all of the supported platforms. Google didn’t provide any further details on the bug or on the exploitation activity, only saying that there is an exploit for it available in the wild.
This is the second vulnerability under active exploitation that Google has fixed in Chrome in 2022. In early February, Google warned about a high-severity flaw in the animation component of Chrome that was being actively exploited. Google patched that as part of a broader update for Chrome, but last week the company’s Threat Analysis Group published a detailed analysis of a campaign by attackers from North Korea in which they revealed that two separate threat actors from the country had exploited the flaw (CVE-2022-0609).
“On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. These groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus,” the TAG analysis says.
“We observed the campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations and countries may have been targeted. One of the campaigns has direct infrastructure overlap with a campaign targeting security researchers which we reported on last year. The exploit was patched on February 14, 2022. The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022.”
Those campaigns involved a series of highly targeted phishing emails and employed infrastructure that included spoofing of legitimate domains in order to trick victims into visiting the malicious sites. The attackers were very careful to protect the exploit kit that they used in their operations, only serving the malicious iframes to victims at specific times and encrypting each stage of the chain.
Google has not attributed the exploit for the new Chrome zero day to any specific group at this point.