Google announced the discovery and closure of a vulnerability in Chrome that allowed remote code execution in the browser. This vulnerability is believed to have been exploited by North Korean hackers.
According to the British edition The registry Citing Google employee Adam Weidemann, the Chrome vulnerability was identified on February 10 and has been exploited since at least January 4 – a flaw in the program made it possible to compromise the victim’s browser, take control of the computer and to carry out surveillance. The North Korean intelligence services “targeted” employees of American media, high-tech, cryptocurrency, and fintech companies, but it’s possible the attackers also operated in other countries and industries.
The exploitation of the vulnerability was carried out by the Pyongyang-controlled groups Operation Dream Job and Operation AppleJeus – they used the same exploit code but acted on different scenarios. Operation Dream Job hackers targeted media workers, domain registrars, ISPs, and software vendors. The attackers posed as human resources specialists by sending fake emails about job vacancies at Google, Oracle and Disney, disguising the messages as real letters from recruitment agencies. Users navigated to websites with hidden iframes that exploited the vulnerability to run arbitrary code. The Operation AppleJeus group specializes in people dealing with cryptocurrencies or employed in the fintech industry – they were also lured to phishing sites with hidden iframe elements.
The hackers masterfully covered their tracks: unique links were sent to all victims, which became inaccessible after the first transition, each step was encrypted using the AES algorithm, and if any of the steps failed, further work was stopped. A Google employee clarified that the company was able to trace the entire chain of attacks on Chrome and there were indications of attempts to implement a similar scenario with Safari and Firefox, but traces of such attacks have already been destroyed.