Two North Korean hacker groups have been banned by Google from using a zero-day bug in Chrome. The fixes were released by Google in February, but the exploit has already been launched.
After discovering this incident in February, the US Cybersecurity and Infrastructure Security Agency (CISA) authorized all government agencies to immediately fix this zero-day bug in Chrome.
In Addition to this exploit, North Korean hacker groups have also used the SWIFT attack on the international banking messaging system of Swift, which is linked to the North Korean hacker group Lazarus, which is believed to have hacked Sony Pictures.
According to the “Dream Job” operation, the campaigns followed by Google Tag targeted US-based organizations:
- News media,
- Technology industry,
- Domain name registrars,
- Web hosting providers,
- Software vendors.
Posted vacancy fake e-mail the objectives, that IS, claim, they are employers, the following well-known multinational companies:
Adam Weidemann said: “We think that the common supply chain of these groups, therefore, they use the same set of exploits, but with different settings applied different methods of mission and each employee. It is entirely possible that other attackers supported by the North Korean government may have had access to the same exploits.”
Hackers’ Security Measures
In order to prevent security teams from retrieving the phases of their exploit, the attackers implemented a number of precautions. We have listed all of the safeguards utilized by hackers below:
- It appears that the frame was only served at specific times, presumably when they knew their target would visit the page.
- The recipients of some email campaigns received unique links and IDs.
- The exploit kit encrypts each stage, including the clients’ answers, using a session-specific key.
- No future stages would be served if the previous stage failed.