Microsoft Identifies North Korean Cryptocurrency Thieves Behind Google Chrome Zero-Day Remote Code Exploitation
Recently, Microsoft’s threat intelligence team revealed that a well-known North Korean threat actor was behind the exploitation of a critical Chrome remote code execution flaw. This flaw, which Google patched on August 21, 2024, was exploited through a type confusion vulnerability in the Chromium V8 JavaScript and WebAssembly engine. The vulnerability, identified as CVE-2024-7971, is the seventh such Chrome zero-day exploit detected this year.
Table of Contents
North Korean Hackers Exploit Chrome Vulnerability for Financial Gain
According to Microsoft, the exploitation of CVE-2024-7971 has been attributed to a North Korean group known as 'Citrine Sleet.' This group has a history of targeting financial institutions and individuals managing cryptocurrency, aiming for substantial financial gain. Microsoft’s report indicated that Citrine Sleet used zero-day exploits to execute remote code, allowing them to infiltrate victims' machines and deploy a sophisticated rootkit.
The attacks were first observed on August 19, 2024, when North Korean hackers directed their victims to a compromised domain. This domain was designed to deliver remote code execution browser exploits, which ultimately allowed the attackers to gain control over the targeted systems. Once inside, the hackers deployed the FudModule rootkit, a malicious software previously associated with another North Korean advanced persistent threat (APT) group.
Citrine Sleet and Its Affiliations
Citrine Sleet, the name given by Microsoft to this group, is also tracked by other cybersecurity organizations under different aliases, including AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra. These aliases point to the group's affiliation with Bureau 121 of North Korea’s Reconnaissance General Bureau, a notorious cyber warfare unit known for orchestrating large-scale cyberattacks.
Protecting Against Such Threats
With the rise in cyber threats targeting the cryptocurrency sector, it is crucial for individuals and organizations to stay vigilant. Microsoft’s timely identification of Citrine Sleet’s activities underscores the importance of keeping software updated and employing robust security measures to protect against sophisticated attacks.
As cyber threats continue to evolve, particularly those linked to state-sponsored actors like Citrine Sleet, maintaining a proactive approach to cybersecurity is essential. Staying informed about the latest vulnerabilities and their exploits, such as the CVE-2024-7971 in Google Chrome, is key to defending against these ever-present dangers.