Researchers have detailed campaigns by two North Korean government-backed attack groups that leveraged the same exploit kit to target U.S. organizations across the news media, IT, cryptocurrency and fintech sectors.
The groups were exploiting a high-severity remote code execution flaw in the animation component of the Google Chrome browser (CVE-2022-0609), which was fixed by Google in Chrome version 98.0.4758.102, released Feb. 14. Researchers discovered the campaigns on Feb. 10, but they said the exploit kit was deployed as early as Jan. 4.
“The attackers made multiple attempts to use the exploit days after the vulnerability was patched on February 14, which stresses the importance of applying security updates as they become available,” said Adam Weidemann with Google’s Threat Analysis Group (TAG) in a Thursday analysis.
Both campaigns used an exploit kit that was triggered via hidden iframes that were embedded on websites. One of the campaigns targeted over 250 employees of 10 different news media, domain registrars, web hosting providers and software vendors. These targeted employees received emails that claimed to be from recruiters at companies like Disney, Google and Oracle, and that contained links spoofing legitimate job hunting websites, like Indeed or ZipRecruiter (using fake domains like indeedus[.]org and ziprecruiters[.]org).
Another campaign targeted 85 users in the cryptocurrency and fintech sectors. In this attack, the actors compromised at least two legitimate fintech websites (options-it[.]com and tradingtechnologies[.]com) and hosted hidden iframes to deliver exploit kits to visitors - though both websites quickly worked to remediate the issue, with Google confirming that the sites are no longer compromised. Other fake websites, which had previously been set up by actors to distribute trojanized cryptocurrency applications, hosted iframes and pointed visitors to the exploit kit.
“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques."
Researchers linked the attacks back to previously discovered activity clusters, including one uncovered last year targeting security researchers working on vulnerability research. The groups have also been linked to activities that have previously been tracked publicly as the Dream Job campaign, related to a series of 2020 attacks that infected several dozens of companies and organizations in Israel and globally; and the Apple Jeus operation, associated with a 2018 campaign that impacted a number of financial organizations and global cryptocurrency exchanges, said Weidemann.
“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques,” said Weidemann. “It is possible that other North Korean government-backed attackers have access to the same exploit kit.”
Both of these previous activity clusters have been attributed to the Lazarus Group, which is an umbrella term referring to numerous North Korean operators. In a recent analysis, researchers with Mandiant pointed to a flexible intelligence apparatus in North Korea that has created multiple cyber units based on the needs of the country, with some shared resources in cyber operations that include overlaps in infrastructure, malware, and tactics, techniques and procedures.
“Mandiant believes that North Korea's cyber capability supports both long-standing and immediate political and national security priorities, as well as financial goals,” according to Mandiant. “We assess most of North Korea's cyber operations, including espionage, destructive operations, and financial crimes, are primarily conducted by elements within the Reconnaissance General Bureau.”