According to a local security firm, a Chrome exploit published online last week has been weaponized and exploited to target WeChat users in China.
The malicious links were sent to WeChat users in the attacks. When users clicked the connection via a link, a piece of JavaScript code was launched, which loaded and executed shellcode on their operating systems.
Threat actors used the recently revealed Chrome exploit to attack WeChat users in China, according to China-based firm Qingteng Cloud Security. The attacks, according to the researchers, were limited to users of the WeChat Windows app. The security firm didn't reveal which of the two proof-of-concept codes released last week were used in the attacks.
This is because the attackers repurposed proof-of-concept code for two different bugs in the Chromium browser engine, which the WeChat Windows client uses to open and preview links without having to open a separate browser, which was published on Twitter and GitHub last week. The proof of concept code published last week —both of them— allowed attackers to run malicious code inside any Chromium-based browser.
However, since most web browsers run Chromium in a "hardened mode" where the "sandbox" security protection function helps to prevent malicious code from escaping to the underlying operating system, due to which the exploit code was deemed useless on its own.
As the security researchers informed The Record in interviews last week, their proof-of-concept code would work fine against apps that used the Chromium project as a foundation but forgot to allow sandbox defense.
The WeChat client patched last week but Qingteng did not reveal that which of the two Chromium exploits revealed online last week was used in the wild in China; however, the security firm said it alerted Tencent, the creator of the WeChat app, and that Tencent had incorporated the latest Chromium security updates to patch the attack vector.
Both vulnerabilities have been fixed by the Chromium team, but the patches are still finding their way downstream to all applications that use the browser engine. Only Microsoft Edge has patches for both exploits right now whereas the first bug has been fixed in Chrome.