A North Korean government-backed hacking group exploited a vulnerability in Google’s open-source browser to steal cryptocurrency, according to Microsoft.
In a blog post, Microsoft Threat Intelligence and the Microsoft Security Response Center revealed that on August 19, they identified a North Korean hacking group exploiting a vulnerability in Google Chromium, an open-source browser. Microsoft stated that this exploit involves a zero-day vulnerability, meaning the hackers targeted the system before a security patch was available.
Microsoft has identified the threat actor as ‘Citrine Sleet,’ a group linked to Bureau 121 of North Korea’s Reconnaissance General Bureau, a cyberwarfare agency. This actor exploited a vulnerability in Chromium, known as ‘CVE-2024-7971,’ to distribute malware.
The threat actor compromised the system using sophisticated malware known as the “FudModule rootkit.” This malware allowed them to access the system while evading detection by users.
Google released a security patch for Chromium on August 21, two days after Microsoft’s blog announcement. However, the number of victims affected by the attack remains uncertain.
In response, the United States Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of exploited vulnerabilities to include the Google Chromium vulnerability CVE-2024-7971. CISA has set a deadline for federal agencies to apply the security patch by September 16.
The blog states that Citrine Sleet targeted financial institutions and individuals involved in cryptocurrencies to gather data for theft. To accomplish this, they created a fake website that mimicked a legitimate cryptocurrency exchange platform.
According to Microsoft on the incident, the North Korean hackers initiated their attack by luring a victim to a web domain under their control. They then took advantage of a separate Windows kernel vulnerability to install a rootkit—a type of malware that provides extensive access to the operating system—on the victim’s computer. With the rootkit in place, the hackers gained full control of the system, putting the victim’s data at significant risk.
Cryptocurrency has been a long-standing target for North Korean hackers. In response to severe international sanctions, North Korea has increasingly turned to cryptocurrency theft to fund its nuclear weapons program.
The blockchain data platform company Chainalysis revealed in its 2023 Crypto Crime Report that around $20 billion worth of cryptocurrencies were unlawfully transmitted in 2022, while $3.8 billion worth of cryptocurrencies were stolen by hacking attacks. “The amount of the stolen cryptocurrencies reached the highest level on record in 2022, with total damages of $3.8 billion,” said the company representative in a cybersecurity conference held in Seoul in March of 2023. “North Korea was the major actor that drove the surge of cryptocurrency heists, amounting to 40% of the entire cryptocurrency hacks,” added the representative.
Related article: North Korean hackers leverage online games to distribute malware, Microsoft reveals
A new North Korean hacking group has allegedly developed an online game and sent compromised emails to their targets while posing as game developers and investors, according to a statement from a United States tech giant on Tuesday.
In a recent blog post, Microsoft Threat Intelligence announced that a new North Korean hacking group had been discovered, one that the company dubbed “Moonstone Sleet.” Microsoft has been developing a system of classification that correlates threat actors from specific regions of the world with weather themes. For example, North Korean threat actors are referred to as “Sleet,” while Russian and Chinese hacking groups are tagged with the names “Blizzard” and “Typhoon,” respectively.
The company stated that the hacking group has been carrying out a wide range of financially motivated operations and cyberespionage campaigns that align with the objectives of the North Korean government. The report provided detailed information on malicious activities detected since last February, involving a self-developed, fully functional, downloadable game titled “DeTankWar,’” also known as “DeTankZone,” “DeFiTankWar,” or “TankWarsZone.” READ MORE