Google Bans North Korean Hackers Exploiting Chrome Zero-Day Bug
Google has banned North Korean hacker groups targeting Chrome’s zero-day vulnerability. This urgent issue highlights threats to key sectors, including media, cryptocurrency, and tech industries, and reinforces the need for proactive cybersecurity measures.
2024-01-17
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
In early 2024, Google banned two North Korean hacker groups from leveraging a zero-day vulnerability in Chrome, intensifying global focus on cybersecurity. Despite a fix released by Google in February, attackers deployed the exploit, exposing critical weaknesses across various industries. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) quickly followed up, requiring all government agencies to patch this vulnerability immediately to mitigate further risk.
Overview of North Korean Hacker Activity
North Korea's state-sponsored cyber activities have been on the radar for years, often targeting high-value sectors and critical infrastructure. In addition to the recent Chrome zero-day exploit, these hacker groups—linked to notorious North Korean cyber operations like Lazarus—have also utilized SWIFT system attacks against international financial institutions. Known for the 2014 Sony Pictures hack, Lazarus and affiliated groups have evolved their methods, employing sophisticated, multi-stage attacks to penetrate global technology, cryptocurrency, and media sectors.
“Dream Job” Phishing Campaigns
One of the notable methods employed in these attacks is the "Dream Job" campaign. This tactic preys on professionals, particularly in the United States, by luring them with fake job offers from prestigious companies. Using emails and websites masquerading as those of reputable organizations like Disney, Oracle, and Google, the attackers baited employees in several high-risk sectors, including:
- Media
- Cryptocurrency
- Technology
- Domain name registrars
- Web hosting providers
- Software vendors
These fake job offers aim to compromise organizational security by gaining initial access through unsuspecting employees. The hackers’ fake domains, like disneycareers[.]net and find-dreamjob[.]com, present credible-looking links but are carefully designed traps meant to harvest sensitive data or deploy malicious code.
A Common Exploitation Toolkit
The hackers’ toolkit is as complex as it is effective, crafted to evade detection by security teams. Google Threat Analysis Group (TAG) researcher Adam Weidemann highlighted the overlapping techniques used by these groups, indicating a shared exploit toolkit across campaigns. This toolkit includes:
- Fingerprinting Techniques: Attackers used heavily obfuscated JavaScript code to analyze and collect data on the targeted system. This included exploitation scenarios, user agents, and granted permissions.
- Exploit Kit with Hidden iFrames: Exploits were embedded within both the attackers’ and compromised sites, making use of hidden iFrames that redirected targets.
- Session-Specific Keys: Attackers encrypted each stage of the exploit, making it difficult for security teams to track or reproduce the attacks.
- Multi-Stage Malware: Upon executing the exploit, the attack would request an additional payload to escape the sandbox, escalating the attack if successful.
This robust toolkit not only improved the hackers' chances of a successful breach but also frustrated security efforts to track and contain the threat.
Fake Domains Employed by North Korean Hackers
The following list of fake domains was used in phishing campaigns targeting industries like cryptocurrency, finance, and media. Each of these domains presents a credible facade but is, in fact, a threat actor-controlled trap designed to gather credentials and infiltrate organizational systems:
- disneycareers[.]net
- find-dreamjob[.]com
- indeedus[.]org
- varietyjob[.]com
- ziprecruiters[.]org
- blockchainnews[.]vip
- chainnews-star[.]com
- financialtimes365[.]com
- fireblocks[.]vip
These domains were carefully chosen to imitate popular employment, media, and financial sites, and could be easily mistaken for legitimate websites by employees seeking new job opportunities.
Hackers’ Security Measures to Avoid Detection
These North Korean hacker groups are known for their meticulous approach to evading detection. To protect the integrity of their exploit kit, the attackers implemented the following safeguards:
- Time-Specific iFrame Serving: The attackers only served the exploit frame during certain time windows, likely chosen to align with when they anticipated the target would visit the page.
- Unique Links and IDs in Email Campaigns: To make detection even more difficult, each phishing email included unique links and identifiers, ensuring each attack attempt remained distinct.
- Encrypted Exploitation Stages: Each stage of the attack was encrypted with session-specific keys, meaning that if one phase failed, no additional stages would be served to prevent tracing and reverse-engineering of the code.
These tactics reveal a sophisticated understanding of common cybersecurity defenses, enabling these attackers to maintain their persistence in targeted environments despite ongoing detection and prevention efforts.
Why Are Zero-Day Vulnerabilities So Dangerous?
A zero-day vulnerability like the one exploited in Chrome represents a critical cybersecurity gap. These vulnerabilities are termed “zero-day” because they are unknown to the software provider or vendor until after they’ve been exploited in the wild, giving security teams “zero days” to prepare before an attack. Zero-day exploits are especially valuable to hackers as they offer a way into systems without resistance, enabling them to carry out damaging activities such as data theft, malware installation, or system hijacking.
Defending Against North Korean Cyber Threats
Organizations in critical sectors must take a proactive approach to defend against sophisticated phishing and zero-day attacks. Training and awareness initiatives, like those provided by Keepnet Labs’ Security Awareness Training, can significantly mitigate the risk posed by these attacks. Businesses can also implement phishing simulations to assess employees’ ability to recognize these threats in real-time.
In addition to training, companies should:
- Conduct Regular Security Updates: Patch management is crucial, especially for widely used applications like Chrome. Stay vigilant for updates, especially following a zero-day alert.
- Implement Email Security Solutions: Tools that detect and filter phishing emails are essential to prevent malicious links and attachments from reaching end users.
- Limit Access Privileges: Adopt the principle of least privilege to ensure that even if an attacker gains access, they encounter limited system permissions.
- Monitor for Fake Domains: Register similar domains and use tools to monitor for suspicious new domains resembling your own to prevent spoofing attacks.
Organizations across industries need to treat cybersecurity as an essential and continuous practice. A comprehensive human risk management platform like Keepnet Human Risk Management Platform offers a holistic approach to cybersecurity, helping teams track, educate, and protect their workforce against evolving threats.
Editor’s note: This blog was updated November 7, 2024
SHARE ON