Google says it thwarted North Korean cyberattacks in early 2022

Google’s Threat Analysis Group announced on Thursday that it had discovered a pair of North Korean hacking cadres going by the monikers Operation Dream Job and Operation AppleJeus in February that were leveraging a remote code execution exploit in the Chrome web browser. 

The blackhatters reportedly targeted the US news media, IT, crypto and fintech industries, with evidence of their attacks going back as far as January 4th, 2022, though the Threat Analysis Group notes that organizations outside the US could have been targets as well.

“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques,” the Google team wrote on Thursday. “It is possible that other North Korean government-backed attackers have access to the same exploit kit.”

Operation Dream Job targeted 250 people across 10 companies with fraudulent job offers from the likes of Disney and Oracle sent from accounts spoofed to look like they came from Indeed or ZipRecruiter. Clicking on the link would launch a hidden iframe that would trigger the exploit. 

Operation AppleJeus, on the other hand targeted more than 85 users in the cryptocurrency and fintech industries using the same exploit kit. That effort involved “compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors,” Google’s security researchers found. “In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.”

“The kit initially serves some heavily obfuscated javascript used to fingerprint the target system,” the team said. “This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as ‘SBX,’ a common acronym for Sandbox Escape.”

The Google security group discovered the activity on February 10th and had patched it by February 14th. The company has added all identified websites and domains to its Safe Browsing database as well as notified all of the targeted Gmail and Workspace users about the attempts. 

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.