A few months ago, a Zero-Day bug was reported in the Chrome browser, which was fixed and led Google to ask its users for an urgent update. But the repercussions of said failure were unknown until now. The team of the giant based in Mountain View has revealed certain events that are of interest that involved North Korean hackers.t Keep reading the details in this article.
North Korean hackers didn’t let that Zero-Day flaw slip by
The Threat Analysis Group (TAG), a Google team that is responsible for studying, analyzing, and mitigating threats to the company’s services, stated last Thursday that they had to act quickly when two different hacker groups, both backed by the North Korean government, exploited the Chrome Zero-Day flaw discovered back in February.
This flaw is cataloged as CVE-2022-0609; it is a use-after-free vulnerability in the browser’s Animation component that Google addressed as part of updates released on February 14, 2022. It’s also the first Zero-Day flaw patched by them since the start of this year. Through it, the hackers had as their targets organizations based in the United States that cover many economic areas such as news media, IT, cryptocurrency, and fintech industries.
“The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022,” Google TAG researcher Adam Weidemann said. “We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operates with a different mission set and deploys different techniques.”
Israel-based cybersecurity firm ClearSky has also studied these exploit campaigns, which follow the same pattern and use the same infrastructure. The first to be taken into account is from August 2020, called “Operation Dream Job,” and it was directed against over 250 individuals working for 10 different news media, domain registrars, web hosting providers, and software vendors, offering them fake job offers from companies like Disney, Google, and Oracle.
Other details offered by TAG
Google TAG discovered the intrusions on February 10 and noted that it was “unable to recover any of the stages that followed the initial RCE.” They were also very accurate in saying that cybercriminals used various safeguards such as AES encryption, which is perfect for covering their traces and affecting the recovery of the different phases.
These discoveries go with those made by the threat intelligence company Mandiant, which managed to track different Lazarus sub-groups to various government organizations in North Korea, including the Reconnaissance General Bureau (RGB), the United Front Department (UFD), and the Ministry of State Security (MSS). Lazarus is the umbrella moniker collectively referring to malicious cyber and financial crime operations originating from the Asian country, which is heavily sanctioned by many other countries around the world.
In this way, it is confirmed that North Korean hackers have many resources within the intelligence groups of this Asian country, which they take advantage of in any way to have access to public or private organizations of the countries or regions that they consider their enemies.
Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.
Photo by Micha Brändli on Unsplash.
Facebook: Eagle Tech Corp
LinkedIn: Eagle Tech
YouTube: Eagle Tech Corp