Google has announced that it has prevented 2 North Korean hacking groups from exploiting a zero-day bug in its Chrome browser. The bug (CVE-2022-0609) was patched in February, but it was being exploited a whole month earlier than this, with reports it was being used as early as January 4th 2022. The US agency, CISA, mandated that federal agencies must patch the bug in February. The North Korean hacking groups suspected at using the exploit are linked to Lazarus – another North Korean group accused of hacking Sony Pictures and attacking the SWIFT international bank-messaging system.
It is suspected that all of these groups are working for the same entity (potentially the North Korean government) and have a shared supply chain, thus they are all able to use the same exploits. However, each group seems to use different techniques and have different missions when deploying attacks. The hackers linked their exploit kits inside hidden iframes embedded on both websites they owned and websites they had compromised. This kit contained multiple different stages and components.
The groups have primarily targeted US tech, cryptocurrency, news media, and fintech organisations, but similar companies in other countries may also have been targeted according to Google. The groups have also targeted web-host providers, software vendors, and domain registrars with fake job offered in emails that impersonate recruiters from the likes of Oracle, Disney, and Google. These emails contained links to spoofed versions of job board websites that are popular in the US for hiring tech talent.
Once the group was discovered, Google added all known websites and domains to their Safe Browsing service which prevented users from further exploits. Google also sent alerts to all users that were targeted through Gmail and Workspace. A recent Google acquisition, Mandiant, has identified the hacking groups as Lab 110, TEMP.Hermit, APT38, Andariel, and Bureau 325 – all operating under North Korea’s foreign intelligence agency which deals with technology, operations, and reconnaissance. Mandiant claims that North Korea is borrowing China’s strategy of cajoling hacker groups to work with the government.
Each one of these groups is designated to target separate industries and gather intelligence for the purposes of geopolitical strategy or raise revenue for North Korea’s ballistic missile programs through cryptocurrency theft. Information collected through these attacks may also be used to develop vaccines, bypass sanctions, fund other weapon programs, and produce other strategies and internal items relevant to the North Korean regime.
No comments:
Post a Comment