Google Targets The US, Cyberattacks From North Korea Successfully Crippled
JAKARTA - Google's Threat Analysis Group (TAG) has just announced that it has discovered two North Korean hacker groups named Operation Dream Job and Operation Apple Jeus last February.
Both groups of hackers claimed to have exploited a remote code execution (REC) exploit in the Chrome web browser. Its main targets are online media, IT, cryptocurrency, and fintech outlets based in the United States (US).
However, Google managed to patch the vulnerability on February 14th. Given the fact that all of the attackers were using the same exploit kit, TAG theorized that they might all share the same malware supply chain and it's likely that other threat actors from North Korea had access to the shared tool as well.
"It is possible that other attackers supported by the North Korean government had access to the same exploit," Google said.
Launching Engadget, Friday, March 25, Operation Dream Job targeted 250 people at 10 companies with fake job offers such as Disney and Oracle sent from fake accounts to look like they were from Indeed or ZipRecruiter.
While Operation Apple Jeus, on the other hand targeted more than 85 users in the cryptocurrency and fintech industries using the same exploit kit. The effort involved at least two legitimate fintech company websites and hosting hidden iframes to serve up exploit kits to visitors.
The attackers also use several sophisticated methods to hide their activities. This includes opening the iframe only in the time slot in which they expect the target to visit the website, unique URLs in links for one-click implementations, AES-based encryption in the exploit step, and atomity of the exploit path.
“In another case, we observed a fake website, set up to distribute a cryptocurrency app that was trojaned hosting an iframe and redirecting their visitors to an exploit kit,” Google explained.
Google explained, the kit initially served some highly obfuscated javascript that was used to fingerprint the target system.
"This script collects all available client information such as user agent, resolution, etc., then sends it back to the exploit server. If an unknown set of requirements is met, the client is served the Chrome RCE exploit and some additional javascript," said Google.
"If RCE is successful, javascript will request the next stage which is referenced in the script as SBX, the common acronym for Sandbox Escape."
Google hopes that by sharing these details, it can encourage users to update their browsers to receive the latest security updates and enable Enhanced Safe Browsing in Chrome.