Google’s Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser.
The campaigns, once again “reflective of the regime’s immediate concerns and priorities,” are said to have targeted U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries, with one set of the activities sharing direct infrastructure overlaps with previous attacks aimed at security researchers last year.
The shortcoming in question is CVE-2022-0609, a use-after-free vulnerability in the browser’s Animation component that Google addressed as part of updates (version 98.0.4758.102) issued on February 14, 2022. It’s also the first zero-day flaw patched by the tech giant since the start of 2022.
“The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022,” Google TAG researcher Adam Weidemann said in a report. “We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques.”
The first campaign, consistent with TTPs associated with what Israeli cybersecurity firm ClearSky described as “Operation Dream Job” in August 2020, was directed against over 250 individuals working for 10 different news media, domain registrars, web hosting providers, and software vendors, luring them with fake job offers from companies like Disney, Google, and Oracle.
images from Hacker News