Recently, we mentioned the discovery of a new 0day vulnerability in Google Chrome. 0day or zero-day vulnerabilities are “elite” flaws used by a small number of highly skilled attackers. They are usually sold on the deep web for thousands or even tens of thousands of dollars. Those who discover them often use them exclusively to gain larger rewards.
Chrome Vulnerability and Crypto
We always advise staying away from untrusted websites and applications. It is also recommended to use proven paid antivirus software to secure your web traffic. While antivirus software does not always protect users, it significantly keeps you away from known traps.
Microsoft recently reported that the security vulnerability we mentioned earlier was used by North Korean attackers to target crypto investors.
“On August 19, 2024, Microsoft identified that a North Korean threat actor exploited a zero-day vulnerability in Chromium, identified as CVE-2024-7971, to achieve remote code execution (RCE). We assess with high confidence that the observed exploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for financial gain.”
Microsoft experts found that the vulnerability was jointly used by two groups named Diamond Sleet and Citrine Sleet. So, what is the attack scenario? We see this in the details of the investigation.
“The observed zero-day exploit attack by Citrine Sleet used typical stages seen in browser exploit chains. Initially, targets were redirected to the attack address voy****club[.]space controlled by Citrine Sleet. Although we cannot currently verify how targets were redirected, social engineering (directing to a link by saying trade or crypto wallet application, etc.) is a common tactic used by Citrine Sleet. When a target connected to the internet address, the zero-day RCE exploit for CVE-2024-7971 was delivered.
After the RCE exploit succeeded in executing code in the protected Chromium renderer process, shellcode containing a Windows sandbox escape exploit and FudModule rootkit was downloaded and then loaded into memory. The sandbox escape exploited a security vulnerability in the Windows kernel, CVE-38106, which Microsoft fixed on August 13, 2024, before discovering this activity by the North Korean threat actor.”
Google Chrome patched this vulnerability on August 21 and is expected to provide a detailed explanation within 60 days. Always keep your browser updated and stay vigilant. North Korean attackers are now conducting much more targeted attacks, and such newly discovered vulnerabilities make their job easier. No comprehensive report has yet been published on the crypto investors victimized by this vulnerability. Additionally, those who have not yet updated their systems remain potential targets.