Browser exploits: A Concerning Revival Led by the Lazarus Group

Lazarus Group is by no means a new kid on the cyber-criminal block.

Active since roughly 2009, the North Korean state-sponsored cyber threat group is a highly financially-motivated organization behind some of the most destructive cyber incidents of the past decade.

Having gained notoriety in a major attack against Sony Pictures Entertainment in 2014, Lazarus Group also manufactured an attack against the Central Bank of Bangladesh in 2016 that resulted in the theft of $81m and played a significant role in the spreading of WannaCry ransomware in 2017.

Unfortunately, the group has once again reared its head recently, spearheading growing efforts to leverage zero-day vulnerabilities in the browser from threat actors globally. 

2021 was a record year for browser exploits, with more than 30 zero-day vulnerabilities exploited in the wild. For Lazarus Group, it has become the initial access vector of choice for installing both malware and ransomware as it strives to steal cash and intellectual property from its victims.

Indeed, the trend has continued through 2022, demonstrated by the exploitation of CVE-2022-0609 Google Chrome browser vulnerability. Valentine’s Day saw Google engineers rushing to patch the issue that Lazarus Group had been actively exploiting since January 4, later issuing a blog post on March 31 warning that the group may also have other zero days waiting in the wings.

“Based on their activity, we continue to believe that these actors are dangerous and likely have more 0-days,” it read. This prediction has proven accurate. 

Google reported that CVE-2022-0609 specifically targeted industries like news media, IT, cryptocurrency and fintech. However, additional insights from the Menlo Labs research team revealed other targets to be US government agencies and Japan-based cryptoexchanges. 

Furthermore, the first occurrence of indicators of compromise dated back as far as October 2021.

Identifying Similarities in Attack Campaigns

Interestingly, a separate blog post from Google explains that one of the 2022 campaigns had direct infrastructure overlap with a campaign targeting security researchers reported in January 2021.

Indeed, the techniques, which can be classified as Highly Evasive Adaptive Threats (HEAT) used by Lazarus Group in each browser exploit, are similar. In the October 2021 incident, which we were able to track, initial access began with Lazarus Group compromising existing websites using a Legacy URL Reputation Evasion (LURE) tool before sending the malicious links to its target victims.

When a user visits the compromised website, their browser is then served with a JavaScript profiler that collects vital client information such as the resolution of the page and user-agent, forwarding this onto the exploit server. If the requirements are met, the Chrome RCE (Remote Code Execution) exploit and additional JavaScript are then delivered. 

In other attacks, the Lazarus Group has used malicious documents as its initial access method, yet the methodology beyond this remains largely unchanged. Interestingly, the organization has also been using security company logos, including that of Menlo Security, to throw victims off the scent and improve the probability of success.

This is not a new phenomenon. In recent years we have seen an increase in the use of popular security company documents in attacks, such as the Mandiant APT1 threat report. Here, tactics, techniques and procedures (TTPs) include macro-laden weaponized documents, password-protected attachments and compiled HTML files.

Bolstering Defenses Against Browser Exploits

Thankfully, there is an easy way to combat all three TTPs and mitigate the threat of browser exploits that are increasingly being presented by threat actors such as Lazarus Group. 

Enter isolation – a technology that ensures all active content is executed in an isolated, cloud-based browser rather than in the user’s end device. It shifts the focus of protection from post-compromise detection to prevention, ensuring that any malicious payload – be it weaponized documents, HTML files, attachments or other – simply cannot reach its target endpoint.

All objects are analyzed for potentially malicious contents, this first layer of defense working to either prevent the download of the original document or download a safe version of the document, the latter being stripped of any suspicious code, such as macros, while maintaining the composition of the document.

Given the rising use of HEAT attacks, a first layer of defense such as this is vital. Many existing defenses can be easily bypassed by sophisticated, modern attack methods, allowing threat actors to slip by while going undetected. 

With the efforts of nation-state-backed actors only likely to intensify as geopolitical tensions continue to hot up through 2022, companies must take action now and remediate any possible gaps in their defenses sooner rather than later. Be it browser exploits or a host of other vulnerabilities, the consequences of failing to do so could be catastrophic. 

What’s Hot on Infosecurity Magazine?