web analytics

North Korean Hackers Tied to Exploits of Chromium Zero-Day – Source: www.databreachtoday.com

north-korean-hackers-tied-to-exploits-of-chromium-zero-day-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Cybercrime
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime

Cryptocurrency Users Targeted in Latest Campaign Involving FudModule Rootkit

Akshaya Asokan (asokan_akshaya) ,
Mathew J. Schwartz (euroinfosec) •
September 2, 2024    

North Korean Hackers Tied to Exploits of Chromium Zero-Day
North Korea’s “Monument to Party Founding” in Pyongyang. (Image: Peter Anta/Pixabay)

A hacking group tied to North Korea exploited a zero-day vulnerability in the open source Google Chromium web browser to try and steal cryptocurrency.

See Also: Webinar | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

So warns Microsoft in a new report, detailing the financially motivated campaign, which exploited a now-patched flaw in V8 – Google’s open source, high-performance JavaScript and WebAssembly engine, which is written in C++.

Now tracked as CVE-2024-7971, the flaw can be exploited to remotely execute code on a targeted system, and exists in versions of Chromium prior to 128.0.6613.84, which began to get rolled out Aug. 21.

Microsoft’s Security Response Center notified Google about the flaw on Aug. 19. Google rated the severity of the vulnerability as “high,” since it can be used to remotely execute arbitrary code.

Microsoft attributes the campaign it saw targeting the vulnerability to a threat actor it codenamed Citrine Sleet, which is also known as AppleJeus, Labyrinth Chollima, UNC4736 and Hidden Cobra. The financially motivated group has been linked to North Korea’s cyber operations agency, Bureau 121, which is part of the military’s Reconnaissance General Bureau.

In this campaign, the attackers used fake websites and job applications to lure targets into downloading either a malicious cryptocurrency wallet or trading application, Microsoft said.

Anyone who fell for the lure would get redirected to an attacker-controlled domain designed to remotely exploit the vulnerability to install a rootkit called FudModule that runs in-memory on the targeted device. The rootkit also attempted to exploit a Windows kernel privilege escalation vulnerability tracked as CVE-2024-38106, to allow it to escape a Windows sandbox.

“Once the sandbox escape exploit was successful, the rootkit employs direct kernel object manipulation techniques to disrupt kernel security mechanisms, executes exclusively from user mode, and performs kernel tampering through a kernel read/write primitive,” said Microsoft, which released a software update on Aug. 13 to patch that vulnerability.

The researchers didn’t detail how many individuals or organizations got targeted or fell victim to the cryptocurrency-targeting campaign.

FudModule is a sophisticated piece of malware that has been linked to multiple North Korean hacking campaigns groups since at least October 2021.

Last month, Microsoft warned that North Korean attackers were exploiting a different zero-day vulnerability in the Windows Ancillary Function Driver – Afd.sys – for WinSock, tracked as CVE-2024-38193, to sneak FudModule onto targeted systems. The group’s attacks often involve “bring your own vulnerable driver” – aka BYOVD – tactics to introduce known vulnerabilities they can exploit and install malware (see: North Korea Exploited Windows Zero-Day to Deploy Fudmodule).

The group executed one such campaign in the summer of 2023, “targeting specific individuals in the Asian region through fabricated job offers,” Gen Digital’s Avast antivirus software unit reported in April.

One objective of those multi-stage attacks, which targeted a different zero-day vulnerability in Windows, was to drop a never-before-seen remote access Trojan codenamed Kaolin onto victims’ systems, which then loaded FudModule, it said. Avast attributed the campaign to North Korea’s Lazarus advanced-persistent threat group.

Microsoft tracks the group involved in that campaign as Diamond Sleet, and notes that while that cluster of threat activity has differences with Citrine Sleet, it’s “previously identified shared infrastructure and tools between Diamond Sleet and Citrine Sleet, and our analysis indicates this might be shared use of the FudModule malware between these threat actors.”

After spotting signs of the latest campaign, Microsoft said it “directly notified targeted or compromised customers, providing them with important information to help secure their environments.”

More Chromium Flaws Under Fire

In its latest major Chromium release, which is version 128, Google fixed a total of 38 separate security flaws.

Another one of those security flaws involved a high-risk confusion vulnerability, also in the V8 engine, “that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page,” said the U.S. Cybersecurity and Infrastructure Security Agency. Tracked as CVE-2024-7965, Google warned Aug. 20 that the vulnerability was already being exploited via in-the-wild attacks.

CISA on Wednesday added the flaw to its catalog of known exploited vulnerabilities and set a Sept. 18 deadline for all civilian federal agencies to fix the flaw. “This vulnerability could affect multiple web browsers that utilize Chromium, including – but not limited to – Google Chrome, Microsoft Edge and Opera,” it said.

The flaw was discovered by a security researcher known as “TheDog” on July 30 and reported to Google.

Original Post url: https://www.databreachtoday.com/north-korean-hackers-tied-to-exploits-chromium-zero-day-a-26181

Category & Tags: –

Views: 1

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
WILEY
Cybercrime Investigators Handbook by WILEY
Cybercrime Investigators Handbook by WILEY
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

LogRhythm
A Guide to User and Entity Behavior Analytics (UEBA)
A Guide to User and...
BONI YEAMIN
100 Offensive Linux Security Tools
100 Offensive Linux Security Tools
SentinelOne
90 DAYS A CISO’S JOURNEY TO IMPACT
90 DAYS A CISO’S JOURNEY...
ChiefExecutive
Ciberseguridad: Prioridad Estratégica para los CEO.
Ciberseguridad: Prioridad Estratégica para los...
CYBER SECURITY COALITION
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
INL/EXT
Cybersecurity for Distributed Wind
Cybersecurity for Distributed Wind
ARTIC WOLF
Cybersecurity Compliance Guide
Cybersecurity Compliance Guide
ESRAA MOHAMAD
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
DRAGOS
Impact of FrostyGoop ICS Malware on Connected OT Systems
Impact of FrostyGoop ICS Malware...
Victor Tong
Digital Operational Resilience Act – Control Mappings
Digital Operational Resilience Act –...
ARMIS
DORA Resiliency Guide Strengthening Cybersecurity and Operational Resilience in the Financial Sector
DORA Resiliency Guide Strengthening Cybersecurity...
IGNITE Technologies
Docker Penetration Testing
Docker Penetration Testing

More Latest Published Posts

Apress
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
CyberJA
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
SOSAFE
CybercrimeTrends 2024 The latest threats and security best practices
CybercrimeTrends 2024 The latest threats and security best practices
Routledge
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cigref
Surviving a Massive cyber-attack by Cigref
Surviving a Massive cyber-attack by Cigref
Hidaia Mahmood Alassouli
Common Windows, Linux and Web Server SystemsHacking Techniques
Common Windows, Linux and Web Server SystemsHacking Techniques
Splunk
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SOC SIEM Use Cases
SOC SIEM Use Cases
safecode
Six Pillars of DevSecOps- Collaboration and Integration
Six Pillars of DevSecOps- Collaboration and Integration
SentineOne
WatchTower I ntelligence-Driven Threat Hunting
WatchTower I ntelligence-Driven Threat Hunting
CNIL
Security of Personal Data
Security of Personal Data
OPSWAP
Securing ICS SCADA updates OT Environments
Securing ICS SCADA updates OT Environments
Top 300 Azure Sentinel Used Cases KQL (Kusto Query Language) queries
Top 300 Azure Sentinel Used Cases KQL (Kusto Query Language) queries
WITH SECURE
Threat Landscape Update Report
Threat Landscape Update Report
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
Mihaela Curcă
The Role of Cyber Espionage inInternational Relations
The Role of Cyber Espionage inInternational Relations
GLOBAL NETWORK OF DIRECTOR INSTITUTES
THE FUTURE OF BOARD GOVERNANCE
THE FUTURE OF BOARD GOVERNANCE
Deloitte
The CISO’s Guide to Generative AI
The CISO’s Guide to Generative AI
Capgemini
PROMPT THE FUTURE
PROMPT THE FUTURE
Google
We’re All in this Together
We’re All in this Together
CyberSN
U.S. Cybersecurity Job Posting Data Report
U.S. Cybersecurity Job Posting Data Report
CISA | Cybersecurity and Infrastructure Security Agency
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
McKinsey & Company
Transforming risk efficiency and effectiveness
Transforming risk efficiency and effectiveness
Arnold Antoo
Zero Trust Security Model
Zero Trust Security Model
Richea Perry
Your Cybersecurity Toolkit
Your Cybersecurity Toolkit
IGNITE Technologies
Wireless Penetration Testing
Wireless Penetration Testing