North Korean Hackers Target Finance in Chrome Vulnerability

North Korean Hackers Exploit Chrome Vulnerability to Target Financial Systems.

“North Korean Cyber Threat: Exploiting Zero-Day Flaws in Google Chrome and Windows to Deploy FudModule Rootkit”

North Korean Cyber Tactics: Analyzing the Zero-Day Exploit of CVE-2024-7971 and Its Impact on Global Cybersecurity

In the ever-evolving landscape of global cybersecurity, a recently patched security flaw in Google Chrome and other Chromium-based web browsers has taken center stage. This flaw was exploited as a zero-day by North Korean actors in a meticulously orchestrated campaign aimed at delivering the FudModule rootkit. The incident underscores the relentless efforts of this nation-state adversary, which has increasingly incorporated a variety of Windows zero-day exploits into its operations over recent months.

On August 19, 2024, Microsoft’s eagle-eyed Threat Intelligence team detected suspicious activity attributed to a threat actor known as Citrine Sleet. This group, which has also operated under names like AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736, is believed to be a subset of the infamous Lazarus Group. Notably, the use of AppleJeus malware has been previously linked by Kaspersky to another Lazarus subgroup called BlueNoroff, highlighting the shared infrastructure and toolsets among these formidable cyber adversaries.

Citrine Sleet, based in North Korea, primarily targets financial institutions with a keen focus on the cryptocurrency sector. Their particular method of operation involves conducting thorough reconnaissance of the industry and individuals connected to it. By setting up counterfeit websites that mimic legitimate cryptocurrency trading platforms, they lure unsuspecting users into installing weaponized cryptocurrency wallets or trading applications. These malicious tools are then used to facilitate the theft of digital assets.

The recent zero-day exploit attack by Citrine Sleet leveraged CVE-2024-7971, a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine. This flaw could allow attackers to execute remote code within the sandboxed environment of the Chromium renderer process. Google swiftly responded by patching this vulnerability last week, as part of their ongoing efforts to secure their browser against such exploits.

CVE-2024-7971 marks the third actively exploited type confusion bug in V8 that Google has addressed this year alone, following CVE-2024-4947 and CVE-2024-5274. The exact scope and targets of these attacks remain somewhat unclear; however, it is known that victims were directed to a malicious website named voyagorclub[.]space, likely through social engineering tactics. This site triggered an exploit for CVE-2024-7971, which subsequently facilitated the deployment of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the notorious FudModule rootkit.

This rootkit grants attackers admin-to-kernel access on Windows-based systems, enabling them to perform direct kernel object manipulation—a powerful capability for any cybercriminal. Interestingly, the exploitation of CVE-2024-38106 occurred even after Microsoft had issued a fix as part of its August 2024 Patch Tuesday update. This suggests a possible ‘bug collision,’ where different threat actors independently discover the same vulnerability or share knowledge about it.

Moreover, CVE-2024-7971 is just one of several vulnerabilities that North Korean threat actors have exploited this year to deploy the FudModule rootkit. Others include CVE-2024-21338 and CVE-2024-38193, both related to privilege escalation flaws in built-in Windows drivers that were patched by Microsoft earlier in February and August.

The complexity of the CVE-2024-7971 exploit chain highlights a critical point: such attacks can be thwarted if any component of the chain is blocked, including CVE-2024-38106. This situation underscores the necessity not only for keeping systems up-to-date but also for employing robust security solutions that provide comprehensive visibility across all stages of a cyberattack. Such measures are crucial for detecting and blocking post-compromise malicious activities and tools following an exploitation.

As we navigate these troubled waters, it’s clear that vigilance and advanced cybersecurity practices are more important than ever in safeguarding against these sophisticated threats.