threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
Submitted URL: https://t.co/8lJFwsBe3n
Effective URL: https://threatpost.com/google-chrome-zero-day-bugs-exploited-weeks-ahead-of-patch/179103/?utm_source=twitter&utm_medium...
Submission: On April 04 via api from US — Scanned from DE
Effective URL: https://threatpost.com/google-chrome-zero-day-bugs-exploited-weeks-ahead-of-patch/179103/?utm_source=twitter&utm_medium...
Submission: On April 04 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /google-chrome-zero-day-bugs-exploited-weeks-ahead-of-patch/179103/?utm_source=twitter&utm_medium=rss&utm_content=news#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/google-chrome-zero-day-bugs-exploited-weeks-ahead-of-patch/179103/?utm_source=twitter&utm_medium=rss&utm_content=news#gf_5">
<div class="gform_body gform-body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_8">Your name</label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"> </div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_1">Your e-mail address<span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice gchoice_5_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice gchoice_5_5_1">
<input class="gfield-choice-input" name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Email</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_5_10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button screen-reader-text" value="Subscribe"
onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" disabled="disabled"
style="display: none;"> <input type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1649077345063">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="179103" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="eda205886e"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="9QmBLP7n081DSYcEDq2dPzqgL" name="cj8YDVJynRvK20DxeEB85RP18">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="1649077345102">
<script>
document.getElementById("ak_js_2").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
* Your name
* Your e-mail address*
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Email
This field is for validation purposes and should be left unchanged.
Δ
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* UK Cops Collar 7 Suspected Lapsus$ Gang MembersPrevious article
* Cybersecurity at the DNS Layer: Using AI to Analyze, Learn and ProtectNext
article
GOOGLE CHROME ZERO-DAY BUGS EXPLOITED WEEKS AHEAD OF PATCH
Author: Elizabeth Montalbano
March 25, 2022 9:19 am
3 minute read
Write a comment
Share this article:
*
*
Two separate campaigns from different threat actors targeted users with the same
exploit kit for more than a month before the company fixed an RCE flaw found in
February.
North Korean threat actors exploited a remote code execution (RCE) zero-day
vulnerability in Google’s Chrome web browser weeks before the bug was discovered
and patched, according to researchers.
Google Threat Analysis Group (TAG) discovered the flaw, tracked as
CVE-2022-0609, on Feb. 10, reporting and patching it four days later as part of
an update. Researchers said at the time that an exploit for the flaw–a
use-after-free vulnerability in Chrome’s animation component–already existed in
the wild.
Google TAG now revealed it believes two threat groups—the activity of which has
been publicly tracked as Operation Dream Job and Operation AppleJeus,
respectively—exploited the flaw as early as Jan. 4 in “campaigns targeting U.S.
based organizations spanning news media, IT, cryptocurrency and fintech
industries,” according to a blog post published Thursday by Google TAG’s Adam
Weidemann. Other organizations and countries also may have been targeted, he
said.
“One of the campaigns has direct infrastructure overlap with a campaign
targeting security researchers which we reported on last year,” he wrote. In
that campaign, hackers linked to North Korea used an elaborate
social-engineering campaign to set up trusted relationships with security
researchers with the ultimate goal of infecting their organizations’ systems
with custom backdoor malware.
The two groups, though separate, used the same exploit kit in their campaigns,
which signals that they may work for the same entity with a shared supply chain.
However, “each operate with a different mission set and deploy different
techniques,” Weidemann said. It’s also possible that other North Korean
government-backed attackers have access to the same kit, he added.
TWO CAMPAIGNS, ONE EXPLOIT
Researchers revealed specific details about both Operation Dream Job and
Operation AppleJeus in the post. The former targeted more than 250 individuals
working for 10 different news media, domain registrars, web hosting providers
and software vendors.
“The targets received emails claiming to come from recruiters at Disney, Google
and Oracle with fake potential job opportunities,” Weidemann explained. “The
emails contained links spoofing legitimate job-hunting websites like Indeed and
ZipRecruiter.”
If victims clicked on the link, they would be served a hidden browser iframe
that would trigger the exploit kit, he wrote. Fake job domains owned by
attackers that were used in the campaign included: disneycareers[.]net,
find-dreamjob[.]com, indeedus[.]org, varietyjob[.]com, and ziprecruiters[.]org.
Exploitation URLs associated with Operation Dream Job used in the campaign
included: https[:]//colasprint[.]com/about/about.asp, a legitimate but
compromised website; and https[:]//varietyjob[.]com/sitemap/sitemap.asp.
Operation AppleJeus, the work of a separate North Korean threat group, targeted
more than 85 users in cryptocurrency and fintech industries leveraging the same
exploit kit.
Attackers compromised at least two legitimate fintech company websites to host
hidden iframes that served the exploit kit to visitors to the site, researchers
revealed. Google TAG also observed fake websites–already set up to distribute
trojanized cryptocurrency applications—that hosted malicious iframes pointing
their visitors to the exploit kit, Weidemann wrote.
Attacker-owned websites observed in Operation AppleJeus included one dozen sites
including: blockchainnews[.]vip, financialtimes365[.]com and giantblock[.]org,
according to the post.
EXPLOIT KIT REVEALED (PARTIALLY)
Researchers managed to recover key aspects of the functionality of the exploit
kit used in both campaigns, which employed multiple stages and components to
target users. Links to the exploit were placed in hidden iframes on websites
that attackers either owned or had previously compromised, Weidemann wrote.
“The kit initially serves some heavily obfuscated javascript used to fingerprint
the target system,” he explained. “This script collected all available client
information such as the user-agent, resolution, etc. and then sent it back to
the exploitation server.”
If the data sent to the server met a set of unknown requirements, the client
would be served a Chrome RCE exploit and some additional javascript. If the RCE
was successful, the javascript would request the next stage referenced within
the script as “SBX,” which is a common acronym for Sandbox Escape.
Researchers were unable to recover the stages of exploit that followed the
initial RCE because attackers took care to protect their exploits, deploying
various safeguards, Weidemann said.
Those tactics included only serving the iframe at specific times–presumably when
attackers knew an intended target would be visiting the site, he said. In some
email campaigns, attackers also sent targets links with unique IDs that
potentially were used to enforce a one-time-click policy for each link. This
would allow the exploit kit to only be served once, Weidemann said.
Attackers also used Advanced Encryption Standard (AES) encryption for each
stage, including the clients’ responses using a session-specific key. Finally,
additional stages of the exploit were only served if the previous one was
successful; if not, the next stage was not served, researchers found.
Moving to the cloud? Discover emerging cloud-security threats along with solid
advice for how to defend your assets with our FREE downloadable eBook, “Cloud
Security: The Forecast for 2022.” We explore organizations’ top risks and
challenges, best practices for defense, and advice for security success in such
a dynamic computing environment, including handy checklists.
Write a comment
Share this article:
* Vulnerabilities
* Web Security
SUGGESTED ARTICLES
APPLE RUSHES OUT PATCHES FOR 0-DAYS IN MACOS, IOS
The vulnerabilities could allow threat actors to disrupt or access kernel
activity and may be under active exploit.
April 1, 2022
BELARUSIAN ‘GHOSTWRITER’ ACTOR PICKS UP BITB FOR UKRAINE-RELATED ATTACKS
Ghostwriter is one of 3 campaigns using war-themed attacks, with cyber-fire
coming in from government-backed actors in China, Iran, North Korea & Russia.
March 31, 2022
AUTOMAKER CYBERSECURITY LAGGING BEHIND TECH ADOPTION, EXPERTS WARN
A bug in Honda is indicative of the sprawling car-attack surface that could give
cyberattackers easy access to victims, as global use of ‘smart car tech’ and EVs
surges.
March 31, 2022
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* THE UNCERTAIN FUTURE OF IT AUTOMATION
March 8, 2022
* 6 CYBER-DEFENSE STEPS TO TAKE NOW TO PROTECT YOUR COMPANY
February 25, 2022
1
* THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART II
February 24, 2022
2
* 3 TIPS FOR FACING THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART I
February 9, 2022
* ‘LONG LIVE LOG4SHELL’: CVE-2021-44228 NOT DEAD YET
February 4, 2022
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
Lapsus$ said its back from a week-long “vacation," posting ~70GB worth of data
purportedly stolen from software dev… https://t.co/BPJICAG9rN
5 days ago
Follow @threatpost
NEXT 00:02 01:22 360p 720p HD 1080p HD Auto (360p) About Connatix V157363 Closed
Captions About Connatix V157363
1/1 Skip Ad Continue watching after the ad Visit Advertiser websiteGO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE
Notifications