North Korean-backed threat actors are using interest in the tragedy in South Korea where nearly 160 were crushed to death at a Halloween event on Oct. 29 to lure victims to exploit an Internet Explorer zero-day. (Photo by Chung Sung-Jun/Getty Images)Google’s Threat Analysis Group (TAG) disclosed Dec. 7 that a North Korean government-backed threat group was exploiting an Internet Explorer zero-day in the wild.While the Google TAG team said the North Korean group has historically targeted users in South Korea — policy makers, journalists and activists, as well as North Korean defectors — what’s interesting is the way in which APT37 used a flaw in a Windows Javascript engine used in Internet Explorer to conduct the remote code execution.As noted by ZDnet, Microsoft stopped supporting Internet Explorer earlier this year, but the flaw can still be exploited in Microsoft Office documents because the IE engine remains integrated with Office.
Using interest in the Oct. 29 tragedy in Seoul in which nearly 160 people were crushed to death while gathering for a Halloween event as a lure, victims download a rich text file (RTF) remote template, which in turn fetches remote HTML content. “Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape,” wrote TAG’s Clement Lecigne and Benoit Sevens. While Google was unable to recover a final payload from the North Korea campaign, the researchers said they’ve observed APT37 deliver “a variety of implants like ROKRAT, BLUELIGHT, and DOLPHIN to abuse cloud services as a C2 channel and offer capabilities typical of most backdoors.”The TAG team reported the vulnerability, labeled CVE-2022-41128, to Microsoft on Oct. 31 and the software giant issued a patch on Nov. 8. The Google team also noted that the flaw is similar to another Internet Explorer zero-day, CVE-2021-34480, that was patched in 2021.In October, SC Media wrote about two other Internet Explorer vulnerabilities reported by Varonis researchers that exploited an IE Event Log.For the vulnerabilities reported by Varonis, Microsoft did not fully fix one of the flaws because more recent operating systems are unaffected. However, the default permissions for the other flaw were addressed in Microsoft’s October Patch Tuesday, which restricted access to IE Event Log on remote machines to local administrators, thereby reducing the potential for harm.
Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.
Chinese state-backed hackers' extensive compromise of U.S. telecommunications networks has prompted the Senate Intelligence Committee to pass an annual intelligence authorization measure aimed at bolstering telecommunications firms' defenses against cyberespionage efforts, according to The Record, a news site by cybersecurity firm Recorded Future.
Infosecurity Magazine reports that ransomware incidents against retail firms around the world have risen by 58% between the first and second quarters of 2025 following Scattered Spider's attacks against UK retailers Marks & Spencer, Harrods, and the Co-op in late April.
Major French luxury fashion retailer Louis Vuitton has attributed data breaches impacting UK, Turkish, and South Korean customers to a lone cyberattack initially discovered earlier this month, reports BleepingComputer.
