A financially motivated North Korean threat actor [1], Citrine Sleet [1] [2] [3] [4], exploited a zero-day vulnerability in Google’s Chromium browser in August to target the cryptocurrency industry.
Description
This attack chain involved chaining together previously unknown issues in Windows and Chromium browsers [2], including a zero-day flaw in Chromium (CVE-2024-7971) and a privilege escalation bug in the Windows kernel (CVE-2024-38106) [2]. The vulnerability in Chromium allowed for remote code execution (RCE) and received a critical rating of CVSS 8.8 out of 10 [1]. By combining these exploits and deploying a rootkit called FudModule [2], the attackers were able to gain deep system access and steal cryptocurrencies from their targets [2]. The FudModule rootkit [1] [4], historically shared between Citrine Sleet and Diamond Sleet [1], uses direct kernel object manipulation (DKOM) to interfere with kernel security [1]. Citrine Sleet [1] [2] [3] [4], also known as AppleJeus [1], targets organizations and individuals managing cryptocurrency for financial gain [1] [3], using social engineering tactics to distribute malware and steal information [1]. The attack was sophisticated and demonstrated the advanced capabilities of North Korean APT groups in carrying out financial cybercrime [2]. Microsoft recommends patching CVE-2024-7971 and CVE-2024-38106 to protect against Citrine Sleet exploitations [1]. Google released a security patch for the vulnerability two days after it was disclosed by Microsoft [4], and the United States Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of exploited vulnerabilities [4], mandating federal agencies to apply the patch by September 16 [4]. Citrine Sleet primarily targeted financial institutions and individuals involved in cryptocurrencies to gather data for theft [4], highlighting the ongoing threat posed by state-sponsored hacking groups [4]. This attack is part of a larger trend of North Korean government hackers targeting crypto assets to fund their nuclear weapons program [3].
Conclusion
The attack by Citrine Sleet underscores the importance of timely patching and vigilance in the face of sophisticated cyber threats. Organizations and individuals in the cryptocurrency industry must remain vigilant and implement security measures to protect against such attacks. The incident also highlights the need for international cooperation and information sharing to combat state-sponsored cyber threats effectively.
References
[1] https://www.csoonline.com/article/3500452/north-korean-hackers-actively-exploited-a-critical-chromium-zero-day.html
[2] https://www.darkreading.com/vulnerabilities-threats/north-korean-apt-exploits-novel-chromium-windows-bugs-steal-crypto
[3] https://thecatalystonline.com/home/north-korean-hackers-exploited-chrome-zero-day-to-steal-crypto/
[4] https://www.vpnranks.com/kr/news/north-korean-hackers-exploit-google-chromium-vulnerability-to-steal-cryptocurrency/