Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
Google TAG Attributes Expoloits to State-Sponsored APT37, aka Reaper Mihir Bagwe (MihirBagwe) • December 7, 2022
Image: Shutterstock North Korean state-sponsored hackers exploited a zero time vulnerability successful the JavaScript motor of Microsoft's Internet Explorer via an Office papers sent to users successful South Korea.
See Also: Live Webinar Tomorrow | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies
Google's Threat Analysis Group says it spotted the exploit successful October aft aggregate individuals from South Korea uploaded to VirusTotal a transcript of the malicious Word file. The papers purported to beryllium an update connected the Halloween assemblage crush that killed much than 150 successful the Itaewon vicinity of Seoul.
APT37, besides known arsenic Reaper, chiefly targets South Korea, the state with which the totalitarian authorities successful Pyongyang has maintained a tense seven-decade armistice. Cybersecurity steadfast Mandiant has written that APT37, which appears to person been progressive since astatine slightest 2012, focuses connected targeting the public- and private-sectors alike for espionage campaigns.
Microsoft issued a patch for the zero time successful aboriginal November.
The vulnerability, CVE-2022-41128 resided wrong the Internet Explorer JavaScript motor - jscript9.dll - the exertion Office uses to render HTML content. Google characterizes the flaw arsenic an incorrect just-in-time compilation that leads to adaptable benignant confusion. It is akin to different vulnerability, CVE-2021-34480 that Google researchers identified successful 2021.
This North Korean menace radical has exploited Internet Explorer zero days before, Google notes. Exploiting Internet Explorer done the Office transmission has its advantages since it doesn't beryllium connected users selecting the browser arsenic the default. Nor does it necessitate chaining the exploit with different to interruption escaped of Internet Explorer's Enhanced Protected Mode sandbox, writes Google.
The malicious papers downloaded a affluent substance record template that successful crook fetched distant HTML contented - but lone if users disabled Office's Protected View setting. Google researchers yet did not retrieve the last payload of the campaign, but APT37 successful the past had delivered a assortment of implants that "abuse morganatic unreality services arsenic a C2 transmission and connection capabilities emblematic of astir backdoors."
The Cybersecurity and Infrastructure Security Agency added the IE zero-day to its catalog of known exploited vulnerabilities successful November and ordered national civilian agencies to spot the bug by December 9.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24020034/226270_iPHONE_14_PHO_akrales_0595.jpg)
English (US)