Threat Watch

Internet Explorer 0-day exploited by North Korean actor APT37

Googles Threat Analysis Group (TAG) announced the discovery of a 0-day vulnerability first seen in late October 2022 embedded in malicious documents and used to target users in South Korea. TAG attributed this activity to a group of North Korean government-backed actors known as APT37. These malicious documents exploited an Internet Explorer 0-day vulnerability in the JScript engine, CVE-2022-41128. On October 31, 2022, multiple submitters from South Korea reported new malware to TAG by uploading a Microsoft Office document to VirusTotal. The document references the tragic incident in the neighborhood of Itaewon, in Seoul, South Korea during Halloween celebrations on October 29, 2022. The incident was widely reported on, and the lure takes advantage of widespread public interest in the accident. The vulnerability resides within “jscript9.dll”, the JavaScript engine of Internet Explorer, and can be exploited to execute arbitrary code when rendering an attacker-controlled website. The bug itself is an incorrect JIT optimization issue leading to a type confusion and is very similar to CVE-2021-34480, which was identified by Project Zero and patched in 2021. TAG reported the vulnerability to Microsoft on October 31, 2022, and the label CVE-2022-41128 was assigned on November 3, 2022. The vulnerability was patched on November 8, 2022.

ANALYST NOTES

TAG also identified other documents likely exploiting the same vulnerability and with similar targeting, which may be part of the same campaign. Although this campaign mainly targets South Korea, the tactic of using current events to lure potential victims into downloading malware is common and individuals should always verify the source of a link or document.
Organizations should use the following preventative measures to protect themselves from an attack:
• Implement network segmentation.
• Install updates/patch operating systems, software, and firmware as soon as practical after they are released. Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect threats and respond quickly.
• Use multi-factor authentication where possible.
• Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes.
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.
• Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.

https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/