Google’s Threat Analysis Group (TAG) has been following, tracking, and disrupting North Korea-backed hackers targeting security researchers since January 2021 – but the group still remains at large.
TAG’s researchers have said that a newly discovered campaign is very likely the work of the same hackers, and is again exploiting a zero-day vulnerability as with previous campaigns.
As ever, security researchers remain the target and Google continues to advise that researchers exercise strong security measures.
New zero-day exploit targeting security researchers
Google (for obvious reasons) has not shared specific information regarding the vulnerability, however it promises to have notified the vendor who is in the process of issuing a patch.
The warning discloses how attackers engage with victims – sometimes over months in order to build trust – before executing an attack. The process typically moves from a less restricted platform like X to an encrypted messaging service where an attacker’s anonymity can be more effectively preserved. Cybersecurity researchers typically rely on extended communities of like-minded individuals who share similar interests.
TAG confirmed: “The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits.”
More broadly, TAG notifies Google which then goes on to add the untrustworthy domains to its Safe Browsing feature, which checks the sites visited by a user against a locally-stored list of known malicious domains that spread malware, phishing attacks, and more.
Chrome’s standard Safe Browsing is soon to be improved with a feature borrowed from Enhanced Safe Browsing, which promises real-time scanning to weed out even more threats – but at the expense of some privacy.
TAG added: “We are committed to sharing our findings with the security community to raise awareness, and with companies and individuals that might have been targeted by these activities.”
