North Korean hackers exploit Chromium zero-day vulnerability

Read Time:2 Minute, 49 Second

In the ever-evolving landscape of cybersecurity, the Chromium-based web browsers, such as Google Chrome and Microsoft Edge, have become prime targets for malicious actors. Recently, Microsoft cyber analysts uncovered a significant threat posed by North Korean hackers who are actively exploiting a newly discovered zero-day vulnerability in Chromium.

The Zero-Day Vulnerability: CVE-2024-7971

On August 19, 2024, Microsoft revealed that a North Korean threat actor group known as “Citrine Sleet” has been utilizing a zero-day exploit identified as CVE-2024-7971. This vulnerability is associated with the V8 JavaScript engine integrated into the Chromium browser, allowing attackers to execute remote code within the sandboxed Chromium renderer process. This particular flaw is classified as a confusion vulnerability and impacts all Chromium versions prior to 128.0.6613.84.

Google promptly addressed this issue, releasing a patch for CVE-2024-7971 on August 21, 2024. Users are strongly advised to update their browsers to the latest version to mitigate exposure to this threat. Notably, this incident marks the third V8-type confusion vulnerability exploited this year, following CVE-2024-4947 and CVE-2024-5274.

Who is Citrine Sleet?

Citrine Sleet is a North Korean threat actor primarily focused on disrupting financial networks. This group targets organizations and individuals involved in cryptocurrencies, aiming to generate revenue for the North Korean government. Their tactics include extensive reconnaissance of the cryptocurrency sector and launching phishing attacks through counterfeit cryptocurrency exchange platforms.

The group’s interest in Japanese cryptocurrency businesses is particularly alarming, especially due to their use of the AppleJeus Trojan—a malicious tool designed to capture sensitive information and hijack crypto assets.

Advanced Malware: FudModule Rootkit

In conjunction with their zero-day exploits, Citrine Sleet has employed the FudModule rootkit, which is also linked to another North Korean group known as Diamond Sleet. This rootkit utilizes direct kernel object manipulation (DKOM) techniques to interfere with kernel security mechanisms, allowing for kernel tampering via read-and-write operations.

Diamond Sleet has been active since at least October 2021 and has used FudModule to gain administrative access to the kernel by exploiting known vulnerabilities in drivers. The latest iteration of this malware capitalizes on vulnerabilities targeting the appid.sys driver, with an attack chain that includes the deployment of the Kaolin RAT.

On August 13, 2024, Microsoft issued a security update addressing an AFD.sys zero-day vulnerability exploited by Diamond Sleet in conjunction with the FudModule rootkit.

Recommendations for Protection

Given the severity of these threats, organizations and individuals are urged to take proactive measures:

  • Keep Systems Updated: Always ensure that systems and browsers are up to date (Chrome 128.0.6613.84+, Edge 128.0.2739.42+).
  • Utilize SmartScreen: Use browsers that support SmartScreen technology for enhanced protection.
  • Enable Security Features: Activate tamper protection, network protection, and EDR (Endpoint Detection and Response) block mode.
  • Automate Responses: Automate Defender Endpoint responses to streamline security measures.
  • Activate Scanning: Enable cloud-based, real-time, and file scanning features in Defender for comprehensive security.

Indicators of Compromise (IoCs)

Security experts have identified several IoCs related to this campaign:

  • voyagorclub[.]space
  • weinsteinfrog[.]com

As the cyber threat landscape continues to evolve, vigilance and proactive security measures remain crucial in defending against sophisticated attacks like those from Citrine Sleet and other malicious actors. Staying informed and prepared is key to safeguarding digital assets from these emerging threats.

Leave a Reply

Your email address will not be published. Required fields are marked *