Skip links

We blocked North Korea’s Chrome exploit, says Google

Google on Thursday described how it apparently caught and thwarted North Korea’s efforts to exploit a remote code execution vulnerability in Chrome.

The security flaw was spotted being abused in the wild on February 10, according to Googler Adam Weidemann, and there was evidence it was exploited as early as January 4. The web giant patched the bug on February 14. Exploiting the bug clears the way to compromise a victim’s browser and potentially take over their computer to spy on them.

We’re told two North Korean government teams used the vulnerability to target organizations in the worlds of news media, IT and internet infrastructure, cryptocurrencies, and fintech in America, though it is possible there were other industries and countries in the groups’ sights.

These two Pyongyang-backed crews were previously tracked under the names Operation Dream Job and Operation AppleJeus. Google suspects the pair were acting on behalf of the same entity, as both used the same exploit code, though their targets and deployment techniques differed.

Operation Dream Job, we’re told, targeted individuals working at major news organizations, domain registrars, hosting providers, and software vendors. The team masqueraded as recruiters, emailing marks bogus details of roles at Google, Oracle, and Disney, with links to websites designed to look like Indeed, ZipRecruiter and DisneyCareers. Once on the site, visitors were served a hidden iframe that exploited the browser bug to achieve arbitrary code execution.

The second team, Operation AppleJeus, targeted people in the cryptocurrency and fintech business, involved setting up spoof websites that hosted the exploit code as well as putting it in a hidden iframe on two compromised fintech websites. 

The exploit itself used JavaScript to build a system fingerprint, and then triggered the vulnerability when an unknown set of conditions were met. 

If remote code execution is successful, some JavaScript requests the next stage in the attack: a browser sandbox escape to gain further access to the machine running Chrome. After that, the trail went cold. “Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages,” Weidemann explained in a technical write-up that includes indicators of compromise.

We’re told the North Koreans ensured the iframes only appeared at specific times, and sent unique links to victims that potentially expired after a single activation. The AES algorithm was used to encrypt each step, and it stopped trying to serve additional stages if one failed. 

Weidemann also said that while Google only recovered the materials for exploiting the Chrome remote code execution hole, it found evidence that the attackers also checked for Safari on macOS and Firefox, and in those cases directed them to specific pages. Yet again, a cold trail: those links were already dead when Google investigated. 

The patch that closed the vulnerability in question was released for Chromium on Valentine’s Day, and Google noted that the North Koreans made multiple exploitation attempts in the days immediately following. That, Weidemann said, “stresses the importance of applying security updates as they become available.” ®