Microsoft recently detected a North Korean cyber group, Citrine Sleet, exploiting a security vulnerability in Chromium-based browsers, including Google Chrome. This flaw allowed attackers to execute malicious code on compromised devices. Citrine Sleet used advanced tactics, such as fake cryptocurrency websites, to conduct their attacks.
North Korean Cyber Group Citrine Sleet Exploits Chromium Zero-Day Vulnerability
Microsoft published a report Friday revealing that last week it discovered a North Korean cyber group, Citrine Sleet, exploiting a zero-day vulnerability in the Chromium browser. This report, published by Microsoft Threat Intelligence and the Microsoft Security Response Center (MSRC), identified the vulnerability as CVE-2024-7971, a type confusion flaw in the V8 Javascript and Webassembly engine used by Chromium.
This zero-day flaw allowed remote code execution (RCE) within the browsers’ isolated renderer process, which permitted the attackers to run harmful code on the targeted systems. Microsoft said:
Our ongoing analysis and observed infrastructure lead us to attribute this activity with medium confidence to Citrine Sleet.
Citrine Sleet is known for its focus on the cryptocurrency sector, aiming for financial benefits. Further analysis suggested that Citrine Sleet might share tools and infrastructure with another North Korean threat group, Diamond Sleet, particularly through the use of the Fudmodule rootkit malware. The report noted that Citrine Sleet, also referred to by other names such as Applejeus and Hidden Cobra, is linked to Bureau 121, North Korea’s cyber espionage unit. The group employs advanced techniques, including setting up fake cryptocurrency sites and sending malicious job offers or cryptocurrency wallets to trick victims.
Chromium is an open-source web browser project that serves as the foundation for Google Chrome, which incorporates additional proprietary features and services. Because Chrome is built on Chromium’s codebase, vulnerabilities in Chromium typically also affect Chrome.
When a target connected to the domain voyagorclub[.]space, a zero-day exploit was used, leading to the download of malware and an escape from the Windows security sandbox. Although Microsoft patched the vulnerability on Aug. 13, there was no direct link to Citrine Sleet’s activities, suggesting the vulnerability may have been discovered by different groups at the same time or through shared intelligence.
Microsoft advised:
Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation.
The report underscored the urgent need for keeping systems updated and implementing advanced security protocols to defend against complex cyber threats, particularly in the cryptocurrency sector. Microsoft stressed the necessity of quickly updating both operating systems and applications, advising: “Keep operating systems and applications up to date. Apply security patches as soon as possible.” It also recommended that users verify their “Google Chrome web browser is updated to version 128.0.6613.84 or later.”
