North Korean Cyber Group Exploits Chromium Zero-Day Vulnerability

Microsoft has recently uncovered that a North Korean cyber group, known as Citrine Sleet, is exploiting a security vulnerability in Chromium-based browsers, including Google Chrome. This vulnerability has permitted attackers to execute malicious code on affected devices.

The Vulnerability Unveiled

In a report published by Microsoft Threat Intelligence and the Microsoft Security Response Center (MSRC), the vulnerability, identified as CVE-2024-7971, is a type confusion flaw in the V8 Javascript and WebAssembly engine utilized by Chromium. This zero-day flaw enables remote code execution (RCE) within the isolated renderer process of the browser, allowing attackers to run harmful code on targeted systems.

“Our ongoing analysis and observed infrastructure lead us to attribute this activity with medium confidence to Citrine Sleet.” - Microsoft

Citrine Sleet's Targeting Tactics

Citrine Sleet has a notorious reputation for targeting the cryptocurrency sector to gain financial benefits. They are suspected of sharing tools and infrastructure with another North Korean threat group, Diamond Sleet, particularly using the Fudmodule rootkit malware. This group is also known by other aliases, including Applejeus and Hidden Cobra, and is linked to Bureau 121, North Korea’s cyber espionage unit. Their tactics include setting up fake cryptocurrency sites and sending malicious job offers or cryptocurrency wallets to deceive victims.

The Impact of Chromium Vulnerability

Since Chromium serves as the foundation for Google Chrome, vulnerabilities in Chromium typically affect Chrome as well. In this instance, a zero-day exploit was executed when a target connected to the domain voyagorclub[.]space, leading to malware downloads and evasion of the Windows security sandbox.

Although Microsoft patched the vulnerability on August 13, there was no direct link to Citrine Sleet's activities, indicating that the vulnerability might have been discovered by different groups concurrently or through shared intelligence.

Recommendations from Microsoft

Microsoft has emphasized the importance of:

• Keeping systems up to date
• Implementing security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise tools and malicious activity.

They strongly advise users to ensure their Google Chrome web browser is updated to version 128.0.6613.84 or later.

What are your thoughts on the discovery of the North Korean cyber group exploiting a zero-day vulnerability in Chromium? Let us know in the comments section below.