Cybersecurity is almost always in the news due to the evolving threats from malicious actors as well as the defenses that are being built by organizations to combat these problems. Today, Google has issued a warning about state-sponsored hackers form North Korea attempting to exploit vulnerabilities - now fixed - in Chrome.
Google"s Threat Analysis Group (TAG) says that on January 4, 2022, it noticed deployments of an exploit kit in Chrome. Then on February 10, it tracked activity from two North Korea-backed groups exploiting the same issue too. The targets were primarily U.S.-based news, IT, cryptocurrency, and fintech outlets. Google successfully patched the vulnerability on February 14. Given the fact that all attackers used the same exploit kit, TAG has theorized that all of them may share the same malware supply chain and it"s possible that other threat actors from North Korea have access to shared tooling too.
Google says that personnel from news media outlets were sent emails from attackers pretending to be recruiters from Disney, Google, and Oracle. The emails contained links to fake sites which were duplicates of recruitment portals like ZipRecruiter and Indeed. Meanwhile, fintech and cryptocurrency firms were sent links to infected websites owned by legitimate fintech companies. Any individual who clicked on the links would have a hidden iframe served to them, which would trigger an exploit.
In terms of what the exploit actually did, here"s a run-down:
The kit initially serves some heavily obfuscated javascript used to fingerprint the target system. This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as “SBX”, a common acronym for Sandbox Escape. We unfortunately were unable to recover any of the stages that followed the initial RCE.
The attackers also employed several sophisticated methods to hide their activity. This included having the iframe open only in time slots in which they expected the target to visit a website, unique URLs in links for one-time click implementations, AES-based encryption in exploitation steps, and atomicity of the exploitation pipeline.
Although Google fixed the remote code execution (RCE) vulnerability in Chrome on February 14, it hopes that by sharing these details, it can encourage users to update their browsers to receive the latest security updates and enabled Enhanced Safe Browsing in Chrome. The indicators of compromise (IoC) shared may also help in other firms and personnel protecting themselves against similar activities. Everyone targeted by the North Korean threat actors in the last couple of months has already been informed.