North Korean hackers used a zero-day vulnerability to remotely execute code in the Google Chrome browser during attacks on mass media, IT companies, cryptocurrency and financial organizations.
Google’s Threat Analysis Group (TAG) team has linked two malicious campaigns exploiting the CVE-2022-0609 vulnerability to two groups supported by the North Korean government.
Cybercriminals sent emails to potential victims, tricked them into visiting fake websites or compromised legitimate websites, which eventually activated a set of exploits for CVE-2022-0609.
Google TAG discovered the campaigns on February 10 of this year and fixed the vulnerability in an emergency update of Google Chrome four days later. The earliest signs of exploitation of the zero-day vulnerability were discovered on January 4, 2022.
One of the two North Korean groups attacked more than 250 people working in 10 different media outlets, domain registrars, hosting providers and software vendors. According to experts, this activity coincides with the North Korean cyber espionage campaign Operation Dream Job, described in detail by ClearSky researchers in August 2020.
The second campaign was aimed at more than 85 users in the cryptocurrency and financial technology industries and is associated with the group behind the AppleJeus operation. The actions of the criminals included compromising at least two legitimate websites of fintech companies and placing hidden iframes to activate a set of exploits. In other cases, experts have found fake websites set up to distribute Trojan cryptocurrency applications.
The attackers integrated a number of security features that complicated the recovery of several stages of the exploit necessary to compromise targets. For example, an iframe with a link to a set of exploits was served at a certain time, some targets received unique identifiers, each stage of the set was encrypted (including the client’s responses), and the transition to the next stages of the attack depended on the success of the previous one.
The researchers found evidence that North Korean hackers were interested not only in Google Chrome users. The criminals also checked users of Safari and Mozilla Firefox browsers, sending them special links to servers controlled by the attackers.