Google sent an emergency patch late Thursday night to close a Chrome browser loophole used in unexplained zero-day attacks.
In V8, Google’s JavaScript and WebAssembly engine, the Google Chrome fix, which is pushed through the automated self-patching of the browser, covers a crucial vulnerability.
Users on Windows, MacOS and Linux systems are limited by the “high risk” vulnerability.
For info, the Google advisory is scant:
High CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24
Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild.We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Scientific information on the vulnerability is kept secret. The patch release comes amid allegations that in the North Korean government-backed attacks against various researchers and personalities spread across the offensive and defensive security space, a Google Chrome zero-day exploit was being used.
Google has been silent about the potential use of a zero-day Chrome in the North Korean social-engineering campaign outside a blog post with the initial alert from its TAG (Threat Research Group), and whether this new fix provides protection for that vulnerability.
A source informs that the two concerns are “unrelated” but insisted that a full investigation has not yet been concluded.
South Korean security provider ENKI, adding fuel to the flames, has published a report that a zero-day Microsoft Internet Explorer (IE) browser could also be related to the North Korean campaign. ENKI said the operation was targeted by its own researchers and the targeting approach involved the use of malicious MHTML files that led to downloads of drive-by IE.
Strangely, public data reveals that in South Korea, the Internet Explorer browser appears to be commonly used.
Microsoft has itself reported its own findings on the North Korean hackers against white-hat analysts, intelligence threats and aggressive security practitioners, but the use of zero-day Internet Explorer is not listed by Microsoft.
However, Microsoft does define the use of MHTML files directly targeting the older Internet Explorer:
In addition to the social engineering attacks via social media platforms, we observed that ZINC sent researchers a copy of a br0vvnn blog page saved as an MHTML file with instructions to open it with Internet Explorer. The MHTML file contained some obfuscated JavaScript that called out to a ZINC-controlled domain for further JavaScript to execute. The site was down at the time of investigation and we have not been able to retrieve the payload for further analysis.
The ENKI results were initially recorded via what was described as a “incorrect channel” by a Microsoft spokesperson told.
“The spokesperson added, “Microsoft has a consumer responsibility to review suspected security vulnerabilities and we will include patches for compromised devices as soon as possible.
KTAE code similarity analysis for the malware used to target security researchers involved in 0day analysis and development. “Manuscrypt” (also known as FALLCHILL) is typically used by the Lazarus APT. 👉 pic.twitter.com/hXxuJIj9Lc
— Costin Raiu (@craiu) January 26, 2021
The attacks were linked by security researchers at Kaspersky to a sub-group under Lazarus, the notorious North Korean threat operator renowned across the globe for launching disruptive malware and ransomware attacks.
