Summary:
North Korean actors utilised a recently patched security vulnerability in Google Chrome and other Chromium web browsers as a zero-day exploit in an effort to distribute the FudModule rootkit. Attacks using the recently fixed CVE-2024-7971 have been carried out by the hacker organisation Citrine Sleet, which is presumed to be a sub-organisation of the North Korean Lazarus organisation threat operation. By using CVE-2024-7971 to take over systems and take control of victims‘ cryptocurrency investments, these hackers have discovered a new method to make money.
About The Threat Actors
Citrine Sleet, also referred to as UNC4736, AppleJeus, Labyrinth Chollima, and Nickel Academy. According to assessments, it belongs to the Lazarus Group’s sub-cluster (called Diamond Sleet and Hidden Cobra).Based in North Korea, Citrine Sleet mainly targets financial institutions for financial gain, especially those who manage cryptocurrencies.
Intro to CVE-2024-7971
A type confusion vulnerability in the V8 JavaScript and WebAssembly engine, known as CVE-2024-7971, affects Chromium versions lower than 128.0.6613.84. Threat actors may be able to obtain RCE in the sandboxed Chromium renderer process by taking advantage of the vulnerability.
Microsoft Overview on the Attack
Microsoft said in a study released on Friday that it had identified Citrine Sleet, a North Korean cyber-criminal organisation, last week. Usually, the attack strategies involve building fake websites that act as legitimate cryptocurrency trading platforms. Hackers aim to make money in the bitcoin industry, which is their primary target.Through fake trading apps, wallets, or job applications, the hackers gained access to the victims’ systems
CVE-2024-38106
The vulnerability gave hackers the ability to remotely run code in the sandbox of the Chromium browser. From there, they could use the browser to load the CVE-2024-38106 exploit in the Windows kernel. By gaining SYSTEM rights and injecting the FudModule rootkit into memory, hackers can change kernel objects and bypass security measures.
What is Fun Module Rootkit ?
A smart rootkit virus called FudModule primarily targets kernel access while avoiding detection.The FudModule data-only rootkit has been discovered by threat actors to get admin-to-kernel access to Windows-based systems, enabling DKOM and the ability to read and write primitive functions.
This could point to a “bug collision,” in which various threat actors independently find the same vulnerability, or it could imply that one vulnerability researcher shared information of the vulnerability with numerous actors.
“To compromise a target, the CVE-2024-7971 exploit chain depends on several components, and this attack chain fails if any of these components—including CVE-2024-38106—are blocked,”
The Microsoft Team,
Based on these facts, it appears that North Korean hackers are still actively targeting significant economic sectors in an effort to obtain financial gains.
A Word Of Wisdom
Updating systems in response to zero-day exploits is not enough; security solutions that offer common visibility throughout the cyberattack chain are also required in order to identify and stop malicious activities and post-compromise attacker tools.
As Per Microsoft :
- Keep operating systems and applications up to date. Apply security patches as soon as possible. Ensure that Google Chrome web browser is updated at version 128.0.6613.84 or later, and Microsoft Edge web browser is updated at version 128.0.2739.42 or later to address the CVE-2024-7971 vulnerability.
- Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.