Application Security , Cybercrime , Cybercrime as-a-service
North Korean Hackers Launched Now-Patched Zero-Day Exploit in Two Campaigns
Devon Warren-Kachelein (devawarren) •
March 26, 2022
North Korea state-backed hackers infected hundreds of organizational computers through a Chrome zero-day exploit, according to Google.
See Also: Third Party Risk: Lessons on Log4j
The vulnerability, Google tracked as CVE-2022-0609, is a remote code execution flaw, which allows an attacker to gain full control over a user’s device. Although Google describes the attacks as being launched by two distinctly different groups, it appears the original campaigns were both reportedly linked to the North Korean group Lazarus. The campaigns have been observed as “Operation Dream Job” and “Operation AppleJeus” by security researchers and have been active since at least 2018. Both groups made use of an exploit kit to place links onto compromised websites, as well as websites created by the group to lure victims.
“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques,” said Adam Weidemann, director of engineering for Google’s Threat AnalysisGroup. “It is possible that other North Korean government-backed attackers have access to the same exploit kit.”
Lazarus has been connected to several major cybercrimes, including the 2016 incident when the attackers installed malware on Bangladesh Bank’s systems then used to send false messages through SWIFT, the international messaging system for banks. Known as the Bangladesh Bank Heist, this incident resulted in the loss of $101million.
Kaspersky research firm has also tracked a North Korean Group called BlueNoroff, however, a researcher working for the firm said he suspected the group was linked to Lazarus during a presentation for the Center for Cyber Security Belgium.
Google says a patch for the exploit was delivered in February.
Google’s Weidemann said that the campaign had targeted several industries, ranging from cryptocurrency firms to media outlets.
“We observed the campaigns targeting US based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations and countries may have been targeted. One of the campaigns has direct infrastructure overlap with a campaign targeting security researchers which we reported on last year.”
One of the campaigns, Operation Dream Job, preyed on individuals at 10 companies, including software companies and web hosting providers. The attackers social engineered emails from major job-hunting sites, then once a victim clicked on the spoofed link, the exploit kit would be activated. Phony websites, modeled after Disney and ZipRecruiter’s career sites, were crafted.
Other fake websites were created to pose as legitimate cryptocurrency and fintech websites in a campaign called Operation AppleJeus. Using the same exploit kit, attackers embedded cryptocurrency apps with trojan malware to upload onto a victim’s device.
The APTS used the same exploit kit that involved different components and stages to victimize users. Aware that security teams were monitoring them, the attackers were careful to deploy techniques to make the exploits more difficult to detect.
A few of the ways the attackers made their infiltration less noticeable was to only perform tasks at certain times, if that was known, and by only allowing single-click policies for links attached to the exploit kit.
The attackers tried several times to use the exploit after a patch was issued. Weidemann says that this “stresses the importance of applying security updates as they become available.”