North Korean hackers have been linked to a zero-day vulnerability in the Google Chromium web browser, with the goal of stealing cryptocurrency, according to a report from Microsoft. A zero-day vulnerability is a flaw in software that is unknown to the parties responsible for fixing or patching the software. The term "zero-day" refers to the fact that the developers have zero days to fix the issue once it is discovered.
Exploiting Chromium's Vulnerability
The flaw, now identified as CVE-2024-7971, was found in the V8 engine of the Chromium browser, which is responsible for executing JavaScript code. This vulnerability allows attackers to remotely execute code on a victim's computer, potentially leading to unauthorized data access or manipulation. This flaw was rated "high" in severity due to its potential impact.
Microsoft's Security Response Center discovered this vulnerability and alerted Google on August 19th. Google promptly patched the flaw in its latest version of Chromium, released on August 21st. However, the vulnerability had already been used by a North Korean hacking group, known under several aliases including Citrine Sleet and Hidden Cobra.
The Attack Strategy
The hackers used fake websites and job applications to trick users into downloading malicious software disguised as cryptocurrency wallets or trading applications. Once downloaded, the software would direct users to a malicious domain which would exploit the Chromium vulnerability to install a rootkit called FudModule. A rootkit is a type of software that allows attackers to maintain control over a computer system without being detected.
Notably, the FudModule rootkit attempted to exploit an additional vulnerability in Windows, CVE-2024-38106, to bypass security measures and execute further attacks. This involved manipulating Windows' kernel security mechanisms, which are the core components that manage system resources and communication between hardware and software.
Microsoft's Response and Ongoing Threats
Microsoft has released an update to address the Windows vulnerability and has informed potentially affected users about the threat. The FudModule malware has been a part of multiple North Korean cyber campaigns since 2021, demonstrating the ongoing threat posed by these sophisticated attacks.
In a related campaign, North Korean hackers were found exploiting another zero-day vulnerability in the Windows Ancillary Function Driver, known as CVE-2024-38193, to deploy FudModule. These attacks often involve BYOVD tactics, where attackers bring a vulnerable driver to exploit and install malware on the system.
Broader Implications and Google's Response
The latest version of Chromium, version 128, addressed 38 security vulnerabilities, highlighting the ongoing battle against cyber threats. One of these flaws, CVE-2024-7965, was a high-risk vulnerability also in the V8 engine, which could lead to heap corruption. This had already been exploited in the wild, emphasizing the importance of prompt software updates.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included this vulnerability in its catalog of known exploited vulnerabilities, setting deadlines for federal agencies to apply necessary fixes. This underscores the critical nature of cybersecurity vigilance and the importance of keeping software up to date to protect against such threats.
