A security flaw in Google Chrome and other Chromium web browsers was recently patched. It was exploited by North Korean actors in a campaign to deliver the FudModule rootkit.
This incident highlights the ongoing efforts of this nation-state adversary, which has been incorporating numerous Windows zero-day exploits into their toolkit in recent months.
Microsoft, which detected this activity on August 19, 2024, attributed it to a threat actor known as Citrine Sleet, a sub-cluster within the Lazarus Group. Citrine Sleet is based in North Korea and primarily targets financial institutions, with a focus on organizations and individuals involved in cryptocurrency.
The attack involved the exploitation of a high-severity vulnerability in the V8 JavaScript and WebAssembly engine, CVE-2024-7971, which allowed threat actors to achieve remote code execution in the Chromium renderer process. Google has since released updates to address this vulnerability.
It’s important to note that this is not the first time Citrine Sleet has been linked to cyber attacks. They have a history of setting up fake websites to trick users into installing malicious applications for stealing digital assets.
The exploitation of CVE-2024-7971 by Citrine Sleet involved the deployment of a Windows sandbox escape exploit and the FudModule rootkit. This rootkit is used to gain admin-to-kernel access on Windows systems.
Microsoft has remediated CVE-2024-38106, a Windows kernel privilege escalation bug that was exploited in this campaign, as part of its August 2024 Patch Tuesday update.
Zero-day exploits like these emphasize the importance of keeping systems updated and employing security solutions that can detect and block post-compromise attacker activities.
