North Korean Hackers Launched Now-Patched Zero-Day Exploit in Two Campaigns
North Korea state-backed hackers infected hundreds of organizational computers through a Chrome zero-day exploit, according to Google.
The vulnerability, which Google tracked as CVE-2022-0609, is a remote code execution flaw that allows an attacker to gain full control over a user’s device. Although Google describes the attacks as being launched by two distinctly different groups, it appears the original campaigns were both reportedly linked to the North Korean group Lazarus. The campaigns have been observed as “Operation Dream Job” and “Operation AppleJeus” by security researchers and have been active since at least 2018. Both groups made use of an exploit kit to place links onto compromised websites as well as websites created by the group to lure victims.
“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques,” said Adam Weidemann, director of engineering for Google’s Threat Analysis Group. “It is possible that other North Korean government-backed attackers have access to the same exploit kit.”
Lazarus has been connected to several major cybercrimes, including the 2016 incident when the attackers installed malware on Bangladesh Bank’s systems then used to send false messages through SWIFT, the international messaging system for banks. Known as the Bangladesh Bank Heist, this incident resulted in the loss of $101 million.
The Kaspersky research firm has also tracked a North Korean Group called BlueNoroff, however, a researcher working for the firm said during a presentation for the Center for Cyber Security Belgium that he suspected the group was linked to Lazarus.
Google says a patch for the exploit was delivered in February.
Google’s Weidemann said that the campaign had targeted several industries, ranging from cryptocurrency firms to media outlets.
“We observed the campaigns targeting U.S.-based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations and countries may have been targeted. One of the campaigns has direct infrastructure overlap with a campaign targeting security researchers which we reported on last year.”
One of the campaigns, Operation Dream Job, preyed on individuals at 10 companies, including software companies and web hosting providers. The attackers social-engineered emails from major job-hunting sites, and once a victim clicked on the spoofed link, the exploit kit would be activated. Phony websites, modeled after Disney and ZipRecruiter’s career sites, were crafted.
Other fake websites were created to pose as legitimate cryptocurrency and fintech websites in a campaign called Operation AppleJeus. Using the same exploit kit, attackers embedded cryptocurrency apps with Trojan malware to upload onto a victim’s device.
The APTS used the same exploit kit that involved different components and stages to victimize users. Aware that security teams were monitoring them, the attackers were careful to deploy techniques to make the exploits more difficult to detect.
A few of the ways the attackers made their infiltration less noticeable was to only perform tasks at certain times, if that was known, and by only allowing single-click policies for links attached to the exploit kit.
The attackers tried several times to use the exploit after a patch was issued. Weidemann says that this “stresses the importance of applying security updates as they become available.”