North Korean Hackers Exploit Chromium Zero-Day To Target Cryptocurrency Sector
A North Korean threat actor has been exploiting a zero-day vulnerability in Chromium to target cryptocurrency organizations for financial gain, according to a report published today by Microsoft.
The vulnerability, identified as CVE-2024-7971, allows attackers to execute remote code on compromised systems.
Microsoft has attributed the attack to Citrine Sleet, a North Korean threat actor known for primarily targeting financial institutions, especially those involved in cryptocurrency. The group engages in extensive reconnaissance of the cryptocurrency sector, and employs sophisticated social engineering tactics.
These tactics include creating fake websites that mimic legitimate cryptocurrency trading platforms to distribute malicious software, such as fake job applications or weaponized cryptocurrency wallets.
The attack chain involved exploiting the Chromium vulnerability, executing malicious code, and deploying the FudModule rootkit. This rootkit is a sophisticated piece of malware that can evade detection and grant attackers elevated privileges on compromised systems.
It has been in use since 2021, with its earliest variant exploiting vulnerable drivers to gain admin-to-kernel access, a technique known as “bring your own vulnerable driver”.
The FudModule rootkit, previously attributed to Diamond Sleet, another North Korean threat actor, suggests a potential sharing of tools or infrastructure between the two groups, as reported by Microsoft.
To mitigate the threat, Microsoft recommends updating systems with the latest security patches, enabling Microsoft Defender for Endpoint’s tamper protection and network protection features, and running EDR in block mode. Additionally, customers should be vigilant of suspicious activity and report any unusual occurrences to their security teams.
Additionally, Microsoft provides detailed detection guidance and hunting queries for customers to identify and respond to related threats within their networks.
Leave a Comment
Cancel