North Korean hackers unleashed Chrome 0-day exploit on hundreds of US targets
Critical vulnerability exploited by 2 groups both working for the North Korean government.
Operation Dream Job has been active since at least June 2020, when researchers at security firm ClearSky observed the group targeting defense and governmental companies. Bad guys targeted specific employees in the organizations with fake offers of a "dream job" with companies such as Boeing, McDonnell Douglas, and BAE. The hackers devised an elaborate social-engineering campaign that used fictitious LinkedIn profiles, emails, WhatsApp messages, and phone calls. The goal of the campaign was both to steal money and collect intelligence. AppleJeus, meanwhile, dates back to at least 2018. That's when researchers from security firm Kaspersky saw North Korean hackers targeting a cryptocurrency exchange using malware that posed as a cryptocurrency trading application. The AppleJeus operation was notable for its use of a malicious app that was written for macOS, which company researchers said was probably the first time an APTโshort for government-backed "advanced persistent threat group"โused malware to target that platform. Also noteworthy was the group's use of malware that ran solely in memory without writing a file to the hard drive, an advanced feature that makes detection much harder. One of the two groups (Weidemann didn't say which one) also used some of the same control servers to infect security researchers last year. The campaign used fictitious Twitter personas to develop relationships with the researchers. Once a level of trust was established, the hackers used either an Internet Explorer zero-day or a malicious Visual Studio project that purportedly contained source code for a proof-of-concept exploit. In February, Google researchers learned of a critical vulnerability being exploited in Chrome. Company engineers fixed the vulnerability and gave it the designation CVE-2022-0609. On Thursday, the company provided more details about the vulnerability and how the two North Korean hackers exploited it. Operation Dream Job sent targets emails that purported to come from job recruiters working for Disney, Google, and Oracle. Links embedded into the email spoofed legitimate job hunting sites such as Indeed and ZipRecruiter. The sites contained an iframe that triggered the exploit.
https://arstechnica.com/information-technology/2022/03/north-korean-hackers-unleashed-chrome-0-day-exploit-on-hundreds-of-us-targets/