SoylentNews

fliptop [soylentnews.org] writes:

On August 19, 2024, Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium, now identified as CVE-2024-7971 [nist.gov], to gain remote code execution (RCE). We assess with high confidence that the observed exploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for financial gain [microsoft.com]:

Our ongoing analysis and observed infrastructure lead us to attribute this activity with medium confidence to Citrine Sleet [microsoft.com]. We note that while the FudModule [avast.io] rootkit deployed has also been attributed to Diamond Sleet [microsoft.com], another North Korean threat actor, Microsoft previously identified shared infrastructure and tools between Diamond Sleet and Citrine Sleet, and our analysis indicates this might be shared use of the FudModule malware between these threat actors.

CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, impacting versions of Chromium prior to 128.0.6613.84. Exploiting the vulnerability could allow threat actors to gain RCE in the sandboxed Chromium renderer process. Google released a fix for the vulnerability [googleblog.com] on August 21, 2024, and users should ensure they are using the latest version of Chromium.

Who is Citrine Sleet?

The threat actor that Microsoft tracks as Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain. As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it. The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications. Citrine Sleet most commonly infects targets with the unique trojan malware it developed, AppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets. The FudModule rootkit described in this blog has now been tied to Citrine Sleet as shared tooling with Diamond Sleet.

The article goes on to explain the exploit and FudModule rootkit, and ends with a long list of recommendations.

Originally spotted on Schneier on Security [schneier.com].

Previously: North Korean Hackers Unleashed Chrome 0-Day Exploit on Hundreds of US Targets [soylentnews.org]

Original Submission