State-sponsored attackers went after targets with fake emails and spoofed websites
One of the more alarming terms in computer security is the “zero-day exploit.” That label has some weight behind it for good reason, referring to a pretty scary situation where an attacker knows about a hidden major flaw or bug in some software — in this case a browser — for which there’s not yet any fix available. Hackers love them, and now a new report from Google’s Threat Analysis Group (TAG) outlines how a state-sponsored hacking gang based in North Korea has been exploiting just such a zero-day in Chrome.
TAG shares that between January and February 2022, North Korean hackers were all over a zero-day in Google Chrome that allowed them to execute code on target machines. Before the exploit was patched, the North Koreans used it to compromise computers at various media and fintech companies. Researchers have assigned the vulnerability CVE-2022-0609 and TAG describes it as “use after free in Animation.” Two distinct but likely related groups have been using the zero-day, and assigned the disarmingly entertaining nicknames Operation Dream Job and Operation AppleJeus.
According to TAG, Operation Dream Job went after media, domain registrars, software vendors, and web hosts — up to 250 individual targets with ten different organizations. The hackers would send fake job recruitment emails purporting to be from Disney, Google, and Oracle. While the emails looked like they came from Indeed.com or ZipRecruiter, they actually linked to spoofed versions of those sites. Ideally — for the hackers, that is — a mark would click through to the faked site, where a hidden iframe (one HTML page nested inside another) would trigger the malicious software intended to exploit the vulnerability. Operation AppleJeus attacked cryptocurrency and fintech companies, up to 85 individuals in all, using the same malicious software toolkit. In addition to the fake sites used to drive infections, at least two legitimate sites were also compromised and used to spread this attack.
As for just how these attacks worked and what data was exfiltrated for malicious use later, TAG doesn’t have many details to share, because the hackers were careful to obscure their tracks at so many points along the way — though the spoofed crypto sites did reveal what TAG describes as trojanized cryptocurrency applications, and those are often used to steal financial data and tokens, as well.
TAG researchers were able to determine that the hackers didn’t just target Chrome, but also lured Safari and Firefox users to malicious links. And unfortunately for everyone who fell prey to these attacks, they occurred for over a month, from January 4, 2022, through February 14, before a patch was finally deployed.
Read Next
About The Author
