North Korean government-backed hackers were recently detected by Google’s Threat Analysis Group attempting to exploit a zero-day vulnerability in Google Chrome, gaining access to people’s devices. Since then, the corporation has patched the security hole.
Adam Weidemann, Director of Engineering at Google, claimed in an official blog post that the weakness has been exploited since January 4th. Over the course of weeks, the bug was used for both intelligence and financial attacks, according to the post.
Operation Dream Job and Operation AppleJeus were two groups that targeted “U.S.-based enterprises spanning the news media, IT, cryptocurrency, and financial industries.”
The groups took use of CVE-2022-0609, a Chrome use-after-free flaw. The flaw allows attackers to insert malicious code into unprotected memory locations, allowing them to execute malware remotely.
Since then, the company has released a vulnerability patch for Chrome update version 98.0.4758.102. However, according to Weidemann, the gangs spent weeks between the 4th of January and the 14th of February carrying out many covert strikes in various phases, allowing them to obscure their footprints.
“Careful to protect their exploits,” Weidemann stated, “[they] installed several safeguards to make it difficult for security teams to retrieve any of the stages.”
The units are thought to have been formed by North Korea’s dictatorial dictatorship to carry out actions to improve the country’s government’s resources.
Weidemann went on to say:
We believe these organizations are part of the same organization with a shared supply chain, which explains why they utilize the same exploit kit, but each has a different mission set and employs different tactics. It’s likely that other attackers backed by the North Korean government have access to the same exploit kit.
According to Google, it was not the only corporation targeted in the attacks:
We found evidence that the attackers deliberately searched for visitors using Safari on macOS or Firefox (on any OS) and led them to specific links on known exploitation servers, despite the fact that we recovered a Chrome RCE.
Weidemann also stated that Google places a strong priority on user privacy and security. He expressed himself as follows:
We use the results of our research to improve the safety and security of our products as part of our efforts to battle severe threat actors… We recommend that any possible targets enable Enhanced Safe Browsing for Chrome and upgrade all of their devices.