Zero-Day Vulnerability in Chromium Compromised by North Korean Hackers

Exploitation of Zero-Day Vulnerability in Chromium

A zero-day vulnerability in the open-source browser, Chromium, has recently been exploited by a financially motivated North Korean threat actor, Citrine Sleet, to deliver the FudModule rootkit. This vulnerability, tracked as CVE-2024-7971, is a type confusion flaw within the V8 JavaScript and WebAssembly engine, garnering a critical CVSS rating of 8.8 out of 10.

Details of the Exploit

On August 19, 2024, Microsoft reported detecting an attack utilizing a zero-day vulnerability in Chromium, leading to remote code execution (RCE). Citrine Sleet's method involved directing victims to a controlled domain, from which the exploit was deployed. Upon successful exploitation, a series of malicious actions unfolded, including a shellcode download that facilitated a sandbox escape and subsequent kernel manipulation.

The FudModule rootkit, activated post-exploit, engages in direct kernel object manipulation (DKOM) and operates solely from user mode, compounding its danger. This actor is well-known for targeting financial systems, particularly those within the cryptocurrency sector.

Security Recommendations

In light of these revelations, it is crucial to promptly patch both CVE-2024-7971 and CVE-2024-38106 to mitigate risks associated with Citrine Sleet's activities. Microsoft emphasizes that continuous monitoring and swift security updates are essential for protecting individuals and organizations from such sophisticated cyber threats.