Google has confirmed that it has fixed a serious security flaw in its Chrome internet browser that allowed malicious actors to spy on people and potentially take control of their devices.
In a weblog post, Adam Weidemann of Google's Threat Analysis Suite stated that the flaw had been used since January XNUMX by two separate cybercrime entities.
These two outfits are known as Operation Dream Job and Operation AppleJeus, and the two are said to have close ties to the North Korean government.
clean tracks
According to Google, the two suites were using the exact same vulnerability, but their approach, like their goals, differed. The company says that while Operation Dream Job targeted people who worked at large news organizations, domain registrars, hosting dealers, and software resellers, Operation AppleJeus targeted people in the cryptocurrency and fintech gaming industries.
Their methods were also different. The first accepted the identity of the recruiters, sent false requests for vacancies in Google, Oracle or Disney, and distributed links to sites that imitated Indeed, ZipRecruiter or DisneyCareers.
These sites were loaded with a hidden iframe that would exploit the flaw and allow remote code execution.
The latter, on the other hand, did the same by creating fake sites, but also compromised legitimate sites and installed the weaponized iframes on them as well.
Scholars also claim that the sets were good at hiding their tracks once the job was done. If they manage to execute the code remotely, they will try to gain more access to the destination point and endpoint, after which they will try to remove any and all indications of its existence.
"Attentive to safeguarding their exploits, the attackers built in multiple protections to prevent security teams from recovering any of the stages," Weidemann writes.
Google claims that the attackers would cause the iframes to appear "only at specific times" and that the victims would get unique links that would expire once activated. Each stage of the attack was encrypted with the AES algorithm, and if one of the stages failed, the entire operation stopped.
The vulnerability was patched on February XNUMX.
Via: The Registry