A joint report by AhnLab Security Emergency response Center (ASEC) and the National Cyber Security Center (NCSC) has revealed a new zero-day vulnerability (CVE-2024-38178) in Microsoft Internet Explorer (IE) being actively exploited by North Korean hackers.
The campaign, dubbed “Operation Code on Toast,” targets users of outdated toast ad programs to deliver malware.
The threat actor behind the attacks, TA-RedAnt (also known as RedEyes, ScarCruft, and APT37), has a history of targeting North Korean defectors and individuals involved in North Korean affairs.
This time, they are exploiting a vulnerability in IE’s JavaScript engine (jscript9.dll) to compromise systems running vulnerable toast ad programs.
Exploitation Methodology
TA-RedAnt has a history of targeting individuals such as North Korean defectors and experts in North Korean affairs. In this operation, they exploited a zero-day vulnerability in IE to manipulate a specific toast ad program.
These programs, often bundled with free software, render web content using WebView. If the WebView is IE-based, it becomes susceptible to IE vulnerabilities.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
The attack begins with TA-RedAnt compromising the server of a Korean online advertising agency. They then inject malicious code into the ad content script, which is subsequently downloaded and rendered by the toast ad program on the victim’s machine, reads the ASEC report.
This results in a “zero-click” attack, requiring no user interaction. Once compromised, the systems became vulnerable to various malicious activities, including remote access.
Despite Microsoft’s termination of IE support in June 2022, many Windows applications still rely on its engine, making them vulnerable. The attackers first infiltrated a Korean online advertising agency’s server.
By injecting malicious code into the server’s ad content script, they triggered a zero-click attack—requiring no user interaction—when the toast ad program downloaded and rendered the ad content.
Upon discovering the vulnerability, AhnLab and the NCSC promptly reported it to Microsoft.
On August 13, Microsoft issued CVE-2024-38178 with a CVSS score 7.5 and released a patch to mitigate the threat. Users and organizations are urged to apply this update immediately to safeguard against potential exploits.
Recommendations
- Apply the latest security patches from Microsoft.
- Ensure systems are updated to the latest versions.
- Developers should avoid using outdated libraries or modules in their software products.
- Users should follow basic cybersecurity measures, such as regularly updating their software.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)