News
Microsoft Security Researchers Discover Chromium Vulnerability
Microsoft last week disclosed a sophisticated cyber campaign by a North Korean threat actor exploiting a zero-day vulnerability in the Chromium browser.
The vulnerability, designated as CVE-2024-7971, was spotted in the wild remote code execution targeting the cryptocurrency sector for financial gain. Microsoft also attributes the attacks to two threat actor groups located inside North Korea.
"Our ongoing analysis and observed infrastructure lead us to attribute this activity with medium confidence to Citrine Sleet," wrote Microsoft. "We note that while the FudModule rootkit deployed has also been attributed to Diamond Sleet, another North Korean threat actor, Microsoft previously identified shared infrastructure and tools between Diamond Sleet and Citrine Sleet, and our analysis indicates this might be shared use of the FudModule malware between these threat actors."
CVE-2024-7971 is a "type confusion" vulnerability in the V8 JavaScript and WebAssembly engine within Chromium, affecting versions prior to 128.0.6613.84. Microsoft's security team said they first detected the attacks, featuring the sophisticated malware kit FudModule, in early August.
How the attack functions:
- Citrine Sleet directs targets to the malicious exploit domain voyagorclub[.]space through social engineering, which triggers a remote code execution action to load a Windows sandbox escape and the FudModule into memory.
- The sandbox escape targets the previously fixed Windows kernel flaw CVE-2024-38106.
- Once the Windows kernel flaw is exploited on unpatched systems, the full FudModule runs on the targeted system.
-
According to Microsoft, the FudModule rootkit has allowed the group to penetrate deeply into compromised systems by tampering with the Windows kernel, effectively bypassing security defenses. The rootkit has been active since 2021 by fellow threat actor group Diamond Sleet, leading Microsoft to believe that the two groups are in close cooperation
Citrine Sleet, a North Korean state-sponsored group, has primarily targeted financial institutions, particularly in the cryptocurrency space. The group is known for its extensive reconnaissance and use of social engineering tactics to lure victims. These tactics often involve creating fake cryptocurrency trading platforms and distributing malware through seemingly legitimate apps.
Google patched the CVE-2024-7971 vulnerability on Aug. 21, and users are advised to update their Chromium-based browsers immediately. This vulnerability marks the third V8 type confusion exploit patched this year, following CVE-2024-4947 and CVE-2024-5274.
Microsoft also recommends that users employ cloud-based protections, like Microsoft Defender Antivirus and Microsoft Defender for Endpoint, for further protection and constant monitoring.
As with any nation-state threat, Microsoft has directly notified affected or targeted customers, providing them with critical information to secure their environments. The company said it will continues to monitor the situation and provide additional details as they emerge.