Sep 02, 2024 15:00:00

North Korean cyber attack group exploits Chromium vulnerability to steal cryptocurrency, vulnerability has been fixed

The Microsoft Security Response Center, which researches various vulnerabilities and exploits, has reported that the North Korean cyber attack group '

Citrine Sleet (UNC4736) ' has exploited the vulnerability ' CVE-2024-7971 ' in the Chromium browser engine to perform a zero-day exploit for remote code execution. Citrine Sleet is believed to have targeted organizations such as financial institutions with the aim of stealing virtual currency.

North Korean threat actor Citrine Sleet exploiting Chromium zero-day | Microsoft Security Blog
https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/

North Korean hackers exploited Chrome zero-day to steal crypto | TechCrunch
https://techcrunch.com/2024/08/30/north-korean-hackers-exploited-chrome-zero-day-to-steal-crypto/

North Korean hackers exploit Chrome zero-day to deploy rootkit
https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-chrome-zero-day-to-deploy-rootkit/

CVE-2024-7971 is a zero-day type mismatch vulnerability in V8 , the JavaScript engine used in Chromium-based browsers, that could be exploited by an attacker to intentionally cause the browser to crash or execute arbitrary code on the device.

This CVE-2024-7971 was fixed in the Chrome security update (version 128.0.6613.84) on August 21, 2024. However, according to the Microsoft Security Response Center, they found evidence of attacks exploiting CVE-2024-7971 on August 19, 2024, before CVE-2024-7971 was fixed as a vulnerability.

The Microsoft Security Response Center reports that 'we conclude with medium confidence that the attacker is Citrine Sleet.' Citrine Sleet is a cyber attack group associated with the 121st Bureau of the Reconnaissance General Bureau of North Korea, which targets financial institutions and individuals who manage virtual currencies, tricking them into visiting fake sites and fake virtual currency trading apps that pose as virtual currency trading platforms, and stealing their assets.

By Roman Harak

In this attack, Citrine Sleet lures the victim to a fake page. When the victim accesses the fake page, the victim's device is forced to execute a rootkit called 'FudModule' using the CVE-2024-7971 exploit. This rootkit has the ability to modify the kernel to avoid detection by various security software, and allows data on the device to be uploaded to an external server without the victim's knowledge.

The Microsoft Security Response Center said it had notified 'customers who were targeted and compromised,' but did not provide details on who was targeted or the scale of damage caused by the Citrine Sleet attack. A Google spokesperson told TechCrunch, an IT news site, that they could not comment beyond the fact that CVE-2024-7971 had been fixed.

According to BleepingComputer, a news site specializing in security information, one of the organizations targeted in this Citrine Sleet attack had previously been targeted by another North Korea-linked cyber attack group, BlueNoroff .