Friend
Professional
- Messages
- 2,653
- Reaction score
- 845
- Points
- 113
The DPRK has found another way to earn cryptocurrency, penetrating the heart of the systems.
North Korean hackers are exploiting a zero-day vulnerability in Google Chrome to gain control of systems and seize control of victims crypto assets.
Microsoft experts have confirmed that the Citrine Sleet group (formerly DEV-0139) used the zero-day CVE-2024-7971 to inject the FudModule rootkit after gaining SYSTEM privileges using an exploit in the Windows kernel. The main target of the attacks is the cryptocurrency sector, where hackers seek to gain financial gain. The Citrine Sleet group has long been known for its attacks on financial institutions, as well as specifically on cryptocurrency organizations and their employees. Previously, hackers were associated with North Korean intelligence.
Citrine Sleet (AppleJeus, Labyrinth Chollima, UNC4736) has repeatedly used fake websites masquerading as legitimate cryptocurrency trading platforms. Hackers infected victims' systems through fake job applications or through fake wallets and trading apps. For example, in March 2023, UNC4736 compromised the supply chain of 3CX video conferencing software, which resulted in the hacking of X_TRADER's trading automation software.
The Google Threat Analysis Group (TAG) has also confirmed the connection between the AppleJeus group and the compromise of the Trading Technologies website. The U.S. government has been warning for several years about the risks posed by North Korean hackers who target cryptocurrency companies and their employees with the AppleJeus malware.
A week ago, Google fixed the zero-day vulnerability CVE-2024-7971, which was a "Type Confusion" bug in the V8 JavaScript engine used in Chrome. The bug allowed attackers to remotely execute code in the Chromium browser sandbox, after which attackers could use the browser to download the CVE-2024-38106 exploit in the Windows kernel. The attack allows hackers to gain SYSTEM privileges and inject the FudModule rootkit into memory, which is used to manipulate kernel objects and bypass security mechanisms.
Since its discovery in October 2022, the FudModule rootkit has also been used by another North Korean hacking group, Diamond Sleet, which uses similar tools and infrastructure for attacks. In August 2024, Microsoft released a security update that fixes the CVE-2024-38193 vulnerability in the AFD.sys driver, which was also used by Diamond Sleet in attacks.
Microsoft also highlighted that one of the organizations targeted by the attack using the CVE-2024-7971 vulnerability was previously attacked by another North Korean group, BlueNoroff (Sapphire Sleet). These facts indicate the continued activity of North Korean hackers, who do not stop attacking important sectors of the economy, seeking financial gain and promoting their state interests.
Source
North Korean hackers are exploiting a zero-day vulnerability in Google Chrome to gain control of systems and seize control of victims crypto assets.
Microsoft experts have confirmed that the Citrine Sleet group (formerly DEV-0139) used the zero-day CVE-2024-7971 to inject the FudModule rootkit after gaining SYSTEM privileges using an exploit in the Windows kernel. The main target of the attacks is the cryptocurrency sector, where hackers seek to gain financial gain. The Citrine Sleet group has long been known for its attacks on financial institutions, as well as specifically on cryptocurrency organizations and their employees. Previously, hackers were associated with North Korean intelligence.
Citrine Sleet (AppleJeus, Labyrinth Chollima, UNC4736) has repeatedly used fake websites masquerading as legitimate cryptocurrency trading platforms. Hackers infected victims' systems through fake job applications or through fake wallets and trading apps. For example, in March 2023, UNC4736 compromised the supply chain of 3CX video conferencing software, which resulted in the hacking of X_TRADER's trading automation software.
The Google Threat Analysis Group (TAG) has also confirmed the connection between the AppleJeus group and the compromise of the Trading Technologies website. The U.S. government has been warning for several years about the risks posed by North Korean hackers who target cryptocurrency companies and their employees with the AppleJeus malware.
A week ago, Google fixed the zero-day vulnerability CVE-2024-7971, which was a "Type Confusion" bug in the V8 JavaScript engine used in Chrome. The bug allowed attackers to remotely execute code in the Chromium browser sandbox, after which attackers could use the browser to download the CVE-2024-38106 exploit in the Windows kernel. The attack allows hackers to gain SYSTEM privileges and inject the FudModule rootkit into memory, which is used to manipulate kernel objects and bypass security mechanisms.
Since its discovery in October 2022, the FudModule rootkit has also been used by another North Korean hacking group, Diamond Sleet, which uses similar tools and infrastructure for attacks. In August 2024, Microsoft released a security update that fixes the CVE-2024-38193 vulnerability in the AFD.sys driver, which was also used by Diamond Sleet in attacks.
Microsoft also highlighted that one of the organizations targeted by the attack using the CVE-2024-7971 vulnerability was previously attacked by another North Korean group, BlueNoroff (Sapphire Sleet). These facts indicate the continued activity of North Korean hackers, who do not stop attacking important sectors of the economy, seeking financial gain and promoting their state interests.
Source
