We blocked North Korea's Chrome exploit, says Google

Fake Oracle and Disney job ads to lure victims is certainly an interesting choice


Google on Thursday described how it apparently caught and thwarted North Korea's efforts to exploit a remote code execution vulnerability in Chrome.

The security flaw was spotted being abused in the wild on February 10, according to Googler Adam Weidemann, and there was evidence it was exploited as early as January 4. The web giant patched the bug on February 14. Exploiting the bug clears the way to compromise a victim's browser and potentially take over their computer to spy on them.

We're told two North Korean government teams used the vulnerability to target organizations in the worlds of news media, IT and internet infrastructure, cryptocurrencies, and fintech in America, though it is possible there were other industries and countries in the groups' sights.

These two Pyongyang-backed crews were previously tracked under the names Operation Dream Job and Operation AppleJeus. Google suspects the pair were acting on behalf of the same entity, as both used the same exploit code, though their targets and deployment techniques differed.

Operation Dream Job, we're told, targeted individuals working at major news organizations, domain registrars, hosting providers, and software vendors. The team masqueraded as recruiters, emailing marks bogus details of roles at Google, Oracle, and Disney, with links to websites designed to look like Indeed, ZipRecruiter and DisneyCareers. Once on the site, visitors were served a hidden iframe that exploited the browser bug to achieve arbitrary code execution.

The second team, Operation AppleJeus, targeted people in the cryptocurrency and fintech business, involved setting up spoof websites that hosted the exploit code as well as putting it in a hidden iframe on two compromised fintech websites. 

The exploit itself used JavaScript to build a system fingerprint, and then triggered the vulnerability when an unknown set of conditions were met. 

If remote code execution is successful, some JavaScript requests the next stage in the attack: a browser sandbox escape to gain further access to the machine running Chrome. After that, the trail went cold. "Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages," Weidemann explained in a technical write-up that includes indicators of compromise.

We're told the North Koreans ensured the iframes only appeared at specific times, and sent unique links to victims that potentially expired after a single activation. The AES algorithm was used to encrypt each step, and it stopped trying to serve additional stages if one failed. 

Weidemann also said that while Google only recovered the materials for exploiting the Chrome remote code execution hole, it found evidence that the attackers also checked for Safari on macOS and Firefox, and in those cases directed them to specific pages. Yet again, a cold trail: those links were already dead when Google investigated. 

The patch that closed the vulnerability in question was released for Chromium on Valentine's Day, and Google noted that the North Koreans made multiple exploitation attempts in the days immediately following. That, Weidemann said, "stresses the importance of applying security updates as they become available." ® 


Other stories you might like

  • Demand for PC and smartphone chips drops 'like a rock' says CEO of China’s top chipmaker
    Markets outside China are doing better, but at home vendors have huge component stockpiles

    Demand for chips needed to make smartphones and PCs has dropped "like a rock" – but mostly in China, according to Zhao Haijun, the CEO of China's largest chipmaker Semiconductor Manufacturing International Corporation (SMIC).

    Speaking on the company's Q1 2022 earnings call last Friday, Zhao said smartphone makers currently have five months inventory to hand, so are working through that stockpile before ordering new product. Sales of PCs, consumer electronics and appliances are also in trouble, the CEO said, leaving some markets oversupplied with product for now. But unmet demand remains for silicon used for Wi-Fi 6, power conversion, green energy products, and analog-to-digital conversion.

    The CEO's "like a rock" comment came in the Q&A section of the call, after previous scripted remarks mentioned a "destocking phase" among SMIC clients.

    Continue reading
  • Colocation consolidation: Analysts look at what's driving the feeding frenzy
    Sometimes a half-sized shipping container at the base of a cell tower is all you need

    Analysis Colocation facilities aren't just a place to drop a couple of servers anymore. Many are quickly becoming full-fledged infrastructure-as-a-service providers as they embrace new consumption-based models and place a stronger emphasis on networking and edge connectivity.

    But supporting the growing menagerie of value-added services takes a substantial footprint and an even larger customer base, a dynamic that's driven a wave of consolidation throughout the industry, analysts from Forrester Research and Gartner told The Register.

    "You can only provide those value-added services if you're big enough," Forrester research director Glenn O'Donnell said.

    Continue reading
  • D-Wave deploys first US-based Advantage quantum system
    For those that want to keep their data in the homeland

    Quantum computing outfit D-Wave Systems has announced availability of an Advantage quantum computer accessible via the cloud but physically located in the US, a key move for selling quantum services to American customers.

    D-Wave reported that the newly deployed system is the first of its Advantage line of quantum computers available via its Leap quantum cloud service that is physically located in the US, rather than operating out of D-Wave’s facilities in British Columbia.

    The new system is based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, a factor that may encourage US organizations interested in evaluating quantum computing that are likely to want the assurance of accessing facilities based in the same country.

    Continue reading
  • Bosses using AI to hire candidates risk discriminating against disabled applicants
    US publishes technical guide to help organizations avoid violating Americans with Disabilities Act

    The Biden administration and Department of Justice have warned employers using AI software for recruitment purposes to take extra steps to support disabled job applicants or they risk violating the Americans with Disabilities Act (ADA).

    Under the ADA, employers must provide adequate accommodations to all qualified disabled job seekers so they can fairly take part in the application process. But the increasing rollout of machine learning algorithms by companies in their hiring processes opens new possibilities that can disadvantage candidates with disabilities. 

    The Equal Employment Opportunity Commission (EEOC) and the DoJ published a new document this week, providing technical guidance to ensure companies don't violate ADA when using AI technology for recruitment purposes.

    Continue reading
  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading

Biting the hand that feeds IT © 1998–2022