Google Spots North Korean Hackers Using Chrome Browser Exploit on US Targets
Earlier this year, North Korean hackers used a critical Chrome browser vulnerability to target victims in the United States, according to Google.
On Thursday, the company provided more details about the vulnerability, CVE-2022-0609, which was patched in Chrome last month. At the time, Google provided few details about the “high” severity flaw, but warned that it was being exploited.
The company now claims that CVE-2022-0609 was able to trigger remote code execution on the Chrome browser, which hackers likely used to load malware onto a computer.
Google also uncovered evidence that two state-sponsored North Korean hacking groups began exploiting the vulnerability on January 4. However, other organizations and countries may have been targeted,” Google security researcher Adam Weidemann wrote in a company blog post.
The first group, dubbed Operation Dream Job, targeted “more than 250 people working for 10 different news media, domain registrars, web hosting providers and software companies”, he added. To do this, hackers have resorted to sending fake job offers via email claiming to be from companies such as Disney, Google and Oracle.
These emails contained links that spoofed legitimate job search websites, including Indeed, ZipRecruiter and Disney’s career page. But in reality, websites have been tricked into triggering the CVE-2022-0609 vulnerability in Chrome.
The second North Korean group, dubbed Operation AppleJeus, attempted to hack more than 85 users in the cryptocurrency and fintech industries. This involved compromising at least two real websites of financial technology companies and using hidden iframes in the pages to exploit the vulnerability in Chrome. In other cases, the group used fake cryptocurrency sites to launch the attack.
Recommended by our editors
The hackers have also embedded several protections in their malicious web pages to prevent security researchers from discovering the entire exploit kit. This included spreading the attack through the malicious websites only at specific times of the day. Some of the hackers’ phishing email campaigns also came with unique link identifiers, which could have been used to enforce “a single click policy for each link”.
Additionally, North Korean hackers may have abused vulnerabilities in other browsers to attack targets. “While we recovered a Chrome RCE, we also found evidence that attackers were specifically checking visitors using Safari on macOS or Firefox (on any OS) and directing them to specific links on servers known exploits. We did not retrieve any responses from these URLs,” Weidemann said.
The good news is that Google patched the vulnerability on February 14, four days after discovering it. However, North Korean hackers still attempted to exploit the browser flaw even after the patch was deployed. To further protect users, Google said it sent “all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity.”
“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operates with a different set of missions and deploys different techniques,” added Weidemann. “It is possible that other attackers supported by the North Korean government have access to the same exploit kit.”
Do you like what you read ?
Sign up for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.