Google’s Threat Analysis Group (TAG) has published a report detailing two hacking campaigns, in which North Korea-linked state-sponsored hackers exploited an RCE vulnerability in the Google Chrome browser (CVE-2022-0609) in attacks targeting a slew of US-based organizations, including news media, IT, cryptocurrency and fintech industries.
The first campaign, tracked as “Operation Dream Job”, targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors with phishing emails purported to come from recruiters at Disney, Google and Oracle. The emails contained links to fake websites disguised as legitimate job hunting platforms like Indeed and ZipRecruiter serving the exploit kit for CVE-2022-0609.
Another North Korean cluster of activity, tracked as “Operation AppleJeus”, targeted over 85 users in cryptocurrency and fintech industries using the same exploit kit.
“This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit,” the research team explained.
Google TAG discovered the campaigns on February 10 and fixed the vulnerability in an emergency Google Chrome update released on February 14. Google said that the earliest sign of this zero-day flaw being actively exploited was discovered on January 4.