Friday 9th December 2022

Threat intelligence weekly update | 9th December 2022

Key Issue: North Korea-backed APT37 leverages Internet Explorer zero-day vulnerability
Cybercriminals: Health care sector targeted extensively with ransomware
Nation-State: Mustang panda continues long-term global campaigns for Beijing
Hacktivists: Pro-Ukrainian hacktivists target second-largest Russian bank with DDoS

North Korea-backed APT37 leverages Internet Explorer zero-day vulnerability

This week we reported on the discovery of a zero-day vulnerability in Internet Explorer that has been exploited by North Korean nation-state unit APT37. The vulnerability, labelled CVE-2022-41128 (CVSS: 77 I OVSS: 8.8), is a remote code execution vulnerability affecting Windows 7 through 11 and was first identified as being exploited by APT37 in October 2022.

In this most recent operation, the exploit is embedded in a malicious document sent to users in South Korea. The Microsoft Office document used as a lure is titled “221031 Seoul Yongsan Itaewon accident response situation (6:00).docx”, referencing the tragic incident that took place in Itaewon in Seoul in October 2022. No final payload was identified but given that APT37 primarily engages in cyberespionage activities against South Korean entities, this incident is likely part of a larger cyberespionage campaign.

Phishing documents using lures that capitalise on current events in the media remain a popular infection vector for malicious actors, and we anticipate that malicious actors who are successful using this technique will continue to use it in the future. Although the vulnerability was patched on 8 November, the public disclosure of CVE-2022-41128 and the release of a Proof-of-Concept on 8 November may prompt threat actors like APT37 to target organisations who are slow to apply it


Subscribe below to receive the full version.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.