North Korean hackers have been exploiting a zero-day in Chrome.
The flaw, tracked as CVE-2022-0609, was exploited by two separate North Korean hacking groups. Both groups deployed the same exploit kit on websites that either belonged to legitimate organizations and were hacked or were set up for the express purpose of serving attack code on unsuspecting visitors. One group was dubbed Operation Dream Job, and it targeted more than 250 people working for 10 different companies. The other group, known as AppleJeus, targeted 85 users.
The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.
The kit initially serves some heavily obfuscated javascript used to fingerprint the target system. This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as “SBX”, a common acronym for Sandbox Escape. We unfortunately were unable to recover any of the stages that followed the initial RCE.
Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages. These safeguards included:
Only serving the iframe at specific times, presumably when they knew an intended target would be visiting the site.
On some email campaigns the targets received links with unique IDs. This was potentially used to enforce a one-time-click policy for each link and allow the exploit kit to only be served once.
The exploit kit would AES encrypt each stage, including the clients’ responses with a session-specific key.
Additional stages were not served if the previous stage failed.
Although we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for visitors using Safari on MacOS or Firefox (on any OS), and directed them to specific links on known exploitation servers. We did not recover any responses from those URLs.
If you’re a Chrome user, patch your system now.
More Stories
FBI Shuts Down Chinese Botnet
The FBI has shut down a botnet run by Chinese hackers: The botnet malware infected a number of different types...
Western Agencies Warn Risk from Chinese-Controlled Botnet
Cyber and law enforcement agencies across the “Five Eyes” countries issue warning about large-scale botnet linked to Chinese firm and...
8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data Breach
A Manchester law firm has filed a lawsuit against outsourcing giant Capita, representing nearly 8000 claimants who were affected by...
FCC $200m Cyber Grant Pilot Opens Applications for Schools and Libraries
US Schools and libraries have until November 1, 2024 to enrol for a three-year program during which participants will receive...
Cryptojacking Gang TeamTNT Makes a Comeback
Group-IB claims to have found evidence of a new TeamTNT cryptojacking campaign Read More
Insecure APIs and Bot Attacks Cost Global Firms $186bn
Thales claims API insecurity and automated bot abuse is costing organizations an estimated $186bn annually Read More