Flash Notice: [CVE-2022-1096] Zero-Day Google Chrome Type Confusion Vulnerability

March 29, 2022

Overview of cve-2022-1096

On March 23, 2022, Google was alerted about a dangerous zero-day vulnerability found in all Chromium based browsers. An anonymous sender discovered the vulnerability, which is being tracked as CVE-2022-1096. The bug is a type confusion vulnerability and is currently being exploited by threat actors in the wild – making all Chromium based browsers vulnerable to attacks. The browsers included are: Microsoft’s Edge, Amazon Silk, Brave, Opera, Samsung Internet, Vivaldi, and Yandex.

CVE-2022-1096 affects 2 billion users and the threat level is rated “high” by Google. The vulnerability is a type confusion weakness located in the Chrome V8 JavaScript and WebAssembly engine. This flaw allows threat actors to execute arbitrary code on victim devices and allows the threat actor to trick Chrome into running malicious code. V8 is a component within Chrome that processes JavaScript, which is the engine that’s at the heart of Chrome.

Type confusion is a coding issue that happens when a threat actor creates two pointers to the same object with incompatible type tags – tricking the recipient into thinking that they are being sent valid data when they are not. Attacks on the V8 component of Chrome are not common but are among the most dangerous. Google has not released the details surrounding the bug because their policy is to restrict details until an update is installed by a majority of its users.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” - Google

CISA has ordered that all private and public sectors patch devices as soon as possible. Although Google has released an emergency update with a security fix in Chrome (99.0.4844.84), an official patch for Windows, Mac, and Linux will not be released for a couple of weeks. CVE-2022-1069 has come after two North Korean state-sponsored threat actors exploited another Chrome zero-day flaw (CVE-2022-0609).

CVE-2022-0609 is a remote code execution (RCE) flaw that allowed for threat actors to exploit a use-after-free vulnerability found in Chrome’s animation component. The vulnerability was found by Google’s TAG team and was exploited by two groups, tracked as Operation Dream Job and Operation AppleJeus. The threat actors targeted U.S. based organizations within news media, IT, cryptocurrency, and fintech industries. The vulnerability has since been successfully patched by Google.

How Avertium is Protecting Our Customers:

Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium’s offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
Implement XDR as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes end-points, applications, network devices, and user interactions.
To identify the source of your breach and the scope that it reached; you’ll want to include Avertium’s DFIR services in your protection plan. We offer DFIR (Digital Forensics and Incident Response) to mitigate damage from a successful breach.

Avertium's recommendations

CVE-2022-1096

Google released an emergency update for Chrome (99.0.4844.84)
- Settings > Help > About Google Chrome — this will also force Chrome to check for updates
- After following the steps, you must restart your browser or the update will not be successful.
Microsoft also released an update (0.1150.55) for their Chromium browser with the following steps:
- In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
- Click on 'Help and Feedback'
- Click on 'About Microsoft Edge'
Brave has also released an update that can be found here. Opera and Vivaldi have not released an update, but it appears that the browsers are already running the new and secure version of Chrome.

CVE-2022-0609

Enable Google’s Enhanced Safe Browsing for Chrome.
Ensure all Devices are updated.
After discovering the vulnerability, Google identified all websites and domains and added them to Safe Browsing to protect their users from further exploitation.
Google notified Gmail and Workspace users via government-backed attacker alerts, addressing the matter.

INDICATOR'S OF COMPROMISE (IOCS):

At this time, there are no known IoCs for CVE-2022-1096. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.
CVE-2022-0609
- disneycareers[.]net
- find-dreamjob[.]com
- indeedus[.]org
- varietyjob[.]com
- ziprecruiters[.]org
- https[:]//colasprint[.]com/about/about.asp (legitimate but compromised website)
- https[:]//varietyjob[.]com/sitemap/sitemap.asp
- options-it[.]com
- tradingtechnologies[.]com
- blockchainnews[.]vip
- chainnews-star[.]com
- financialtimes365[.]com
- fireblocks[.]vip
- gatexpiring[.]com
- gbclabs[.]com
- giantblock[.]org
- humingbot[.]io
- onlynova[.]org
- teenbeanjs[.]com
- https[:]//financialtimes365[.]com/user/finance.asp
- https[:]//gatexpiring[.]com/gate/index.asp
- https[:]//humingbot[.]io/cdn/js.asp
- https[:]//teenbeanjs[.]com/cloud/javascript.asp