Microsoft discovered a North Korean threat actor exploiting a zero-day vulnerability in the Chromium browser, identified as CVE-2024-7971.
This vulnerability, a type confusion flaw in the V8 JavaScript and WebAssembly engine, allowed for remote code execution (RCE) in the sandboxed Chromium renderer process.
The threat actor, known as Citrine Sleet, primarily targets the cryptocurrency sector for financial gain.
“The observed zero-day exploit attack by Citrine Sleet used the typical stages seen in browser exploit chains. First, the targets were directed to the Citrine Sleet-controlled exploit domain voyagorclub[.]space.” Microsoft stated.
Exploitation Details and Attribution
Microsoft’s analysis attributes the exploitation of CVE-2024-7971 to Citrine Sleet with high confidence. The threat actor has been linked to the deployment of the FudModule rootkit, which has also been associated with another North Korean group, Diamond Sleet.
Shared infrastructure and tools between these groups suggest possible collaboration or shared use of the FudModule malware.
Citrine Sleet, tracked by other security firms as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, is part of North Korea’s Reconnaissance General Bureau.
The group conducts extensive reconnaissance of the cryptocurrency industry, using fake websites and social engineering to distribute malicious software like the AppleJeus trojan, which targets cryptocurrency assets.
The attack chain begins with directing targets to a Citrine Sleet-controlled domain, where the zero-day RCE exploit is served.
This is followed by the download and execution of shellcode, exploiting another vulnerability, CVE-2024-38106, for a Windows sandbox escape.
The FudModule rootkit is then loaded, employing direct kernel object manipulation (DKOM) techniques to disrupt security mechanisms.
CVE-2024-7971 impacts versions of Chromium prior to 128.0.6613.84. Google released a fix for this vulnerability on August 21, 2024, and users are urged to update to the latest version.
This is the third type confusion vulnerability patched in V8 this year, following CVE-2024-4947 and CVE-2024-5274.
Microsoft’s Response and Recommendations
Microsoft has notified targeted customers and provided detailed guidance to help secure their environments. Users are advised to:
- Keep operating systems and applications up to date.
- Apply security patches promptly.
- Use updated versions of Google Chrome and Microsoft Edge.
- Enable security features in Microsoft Defender for Endpoint and Antivirus.
The exploitation of CVE-2024-7971 by Citrine Sleet underscores the ongoing threat posed by nation-state actors targeting the cryptocurrency sector. Organizations are urged to implement recommended mitigations and stay vigilant against evolving cyber threats.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!