Threat actors from North Korea have been exploiting a vulnerability in Google Chrome to target certain users with remote code, particularly news outlets, software vendors and fintechs in the United States.
CVE-2022-0609 is a remote code execution vulnerability affecting Google Chrome. According to Google, a patch was released on Feb. 14, 2022, while the first evidence of an exploitation of the vulnerability dates to Jan. 4, 2022.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
On Feb. 10, Google’s TAG (Threat Analysis Group) team discovered two distinct threat actors using that vulnerability to target U.S.-based organizations spanning news media, IT, cryptocurrency and fintech industries. It is possible that more organizations and countries have been targeted in those attack campaigns.
Operation Dream job
The threat actors behind the previously reported “Operation Dream job” are one of the two actors leveraging the CVE-2022-0609 vulnerability.
Individuals from 10 different news media have been targeted by the threat actor, in addition to software vendors, domain name registrars and web hosting providers. All in all, more than 250 people have been targeted by this campaign.
The attacking scheme started with emails reaching these people, pretending to be job opportunities coming from Disney, Oracle and Google (Figure A).
The links in the fraudulent emails led the user to fake job offer websites which served a hidden iframe triggering the exploit kit.
The second threat actor exploiting the CVE-2022-0609 vulnerability has already been known for a previous attack campaign called Operation AppleJeus.
More than 85 people from fintech industries and cryptocurrency have been targeted in the current attack campaign.
Two legitimate fintech companies have been compromised in order for the attackers to add a malicious iframe on the legitimate websites, serving the exploit kit to infect visitors. In other cases, Google observed fake websites also serving the exploit kit, and already set up to distribute trojanized cryptocurrency applications.
The exploit kit
Users have been served the exploit kit either by visiting a legitimate website compromised by the attackers or by being led to fake websites created by the threat actors. In all cases, an iframe started the infection chain.
In an attempt to protect their exploits, the attackers deployed multiple techniques to make it harder for security teams to recover any of the stages. The iframe is only served at specific times and unique IDs were used in infecting links to avoid the exploit kit to be served more than once from the same link. Each stage has also been heavily encrypted with the AES algorithm, including the clients’ responses. No additional stage would be served if all the previous ones would not be completed.
In addition to the exploit kit, Google’s TAG team also found evidence of specific links built for Safari on MacOS or Firefox leading to known exploitation servers, yet none responded at the time of Google’s investigation. It is therefore impossible to know what exploit would be triggered, if any, for those different browsers.
Who are these attackers?
According to Google, the two threat actors originate from North Korea. Both groups used the exact same exploit kit. The kit being private, it is possible that both groups work for the same entity and share tools. Yet the two probably operate with different mission sets and different deployment techniques. It is also possible that more North Korean government-backed attackers might have access to the same exploit kit.
How to protect from this threat
Since the threat consists of an exploit allowing attackers to execute remote code via a vulnerability in Google Chrome, it is advised to deploy the patch as soon as possible, which can be easily done via Group Policy Object (GPO).
In addition, it is advised to use blocking and anti-phishing software or browser plugins like Enhanced Safe Browsing for Chrome, in order to block the fraudulent websites created by the attackers.
To protect from phishing attempts, users should never click on a link coming from an unknown sender. If coming from a seemingly legitimate company, users should first check carefully if the link delivered in the email leads to the legitimate website.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.