EHA
Home Hacks North Korean Hackers Actively Exploiting Chromium RCE Zero-Day In The Wild

North Korean Hackers Actively Exploiting Chromium RCE Zero-Day In The Wild

0

Chromium is the foundation for many popular web browsers including Google Chrome and Microsoft Edge, and this is the most lucrative thing that attracts the hackers most.

Cybersecurity analysts at Microsoft recently discovered that North Korean hackers have been actively exploring the Chromium RCE zero-day in the wild.

On August 19, 2024, Microsoft named a threat actor from North Korea who had been utilizing a zero-day exploit described as CVE-2024-7971 targeting the V8 javascript engine incorporated into the Chromium Web browser for performing RCE within the sandboxed Chromium renderer process.

Through the ongoing activity, researchers connected this threat to the North Korean threat actor group cited as “Citrine Sleet.”

The FudModule rootkit deployed as part of this campaign has also been attributed to the North Korean threat group Diamond Sleet. 

However, Microsoft has already reported the tool and infrastructure overlap between the two groups indicating that FudModule malware may be used with Diamond Sleet.

Technical analysis

CVE-2024-7971 is a type of confusion vulnerability in relation to the V8 engine, affecting all Chromium versions earlier than 128.0.6613.84.

Google, as of August 21, 2024, had put up the patch for CVE-2024-7971, as such, all users are encouraged to ensure that they install the latest build of Chromium.

CVE-2024-7971 is the third exploited V8-type confusion vulnerability that has been patched in V8 this year, after CVE-2024-4947 and CVE-2024-5274.

Citrine Sleet is a North Korean threat actor that focuses largely on disrupting financial networks, including organizations and individuals dealing with cryptocurrencies, in a bid to raise finances for the North Korean government as tracked by Microsoft.

Citrine Sleet has performed extensive reconnaissance in the domain of cryptocurrency business and launches phishing attacks by designing fake cryptocurrency exchange platforms.

The prime reason for targeting the Japanese cryptocurrency business is the AppleJeus Trojan, which is used for capturing critical information for crypto-terrorists and hijacking any crypto assets associated with the targets.

Citrine Sleet has undertaken zero-day attacks such as the sandbox escape exploit CVE-2024-38106 which was utilized to escape the Windows kernel with the aim of executing malicious code and installing the FudModule rootkit.

This rootkit employs direct kernel object manipulation (DKOM) techniques to disrupt kernel security mechanisms and perform kernel tampering through a kernel read-and-write primitive. 

According to the Microsoft Report, Citrine Sleet is tracked by various security companies under different names, including AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, and has been attributed to Bureau 121 of North Korea’s Reconnaissance General Bureau.

FudModule is a rootkit type of sophisticated malware, as it attempts to obtain kernel access mechanisms stealthily.

As from October 2021, Diamond Sleet has utilized FudModule wherein admin to kernel access is made possible by making use of known vulnerable drivers.

The latest configuration of the FudModule, which takes advantage of the cybersecurity threat targeting the appid.sys. The attack chain deploying this variant involves the Kaolin RAT.

On August 13, 2024, Microsoft issued a security update to remediate an AFD.sys zero-day vulnerability that had been exploited by Diamond Sleet with the FudModule rootkit.

Recommendations

Here below we have mentioned all the recommendations:-

  • Keep systems and browsers up to date (Chrome 128.0.6613.84+, Edge 128.0.2739.42+).
  • Use SmartScreen-enabled browsers.
  • Enable tamper, network protection, and EDR block mode.
  • Automate Defender Endpoint responses.
  • Activate cloud, real-time, and file scanning in Defender.

IoCs

  • voyagorclub[.]space
  • weinsteinfrog[.]com

Also Read:

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Exit mobile version