North Korean Threat Actor Citrine Sleet Exploits Chromium Zero-Day Vulnerability
Citrine Sleet, a North Korean threat actor tracked by Microsoft, has been involved in various cyber operations targeting the financial sector. The group is notorious for its sophisticated social engineering tactics
Introduction
On August 30, 2024, Microsoft identified a North Korean threat actor, Citrine Sleet, actively exploiting a zero-day vulnerability in the Chromium engine, designated as CVE-2024-7971. This exploitation, aimed at the cryptocurrency sector, involved remote code execution (RCE) techniques. Microsoft attributes this activity with medium confidence to Citrine Sleet, a group known for targeting financial institutions, particularly within the cryptocurrency industry, for monetary gain.
Report Overview
Citrine Sleet, a North Korean threat actor tracked by Microsoft, has been involved in various cyber operations targeting the financial sector. The group is notorious for its sophisticated social engineering tactics, often creating fake websites mimicking legitimate cryptocurrency trading platforms. These platforms are then used to distribute malicious software disguised as legitimate applications to seize control of cryptocurrency assets. Microsoft’s ongoing analysis suggests a link between Citrine Sleet and another North Korean threat actor, Diamond Sleet, indicating shared use of the FudModule rootkit.
CVE-2024-7971 is a type of confusion vulnerability in the V8 JavaScript and WebAssembly engine, which impacts Chromium versions before 128.0.6613.84. The vulnerability allows threat actors to execute code remotely within the sandboxed Chromium renderer process. Citrine Sleet exploited this vulnerability by directing targets to a controlled exploit domain, voyagorclub[.]space. Once connected, the RCE exploit for CVE-2024-7971 was delivered, followed by the download and execution of a shellcode containing a Windows sandbox escape exploit and the FudModule rootkit.
The sandbox escapes leveraged CVE-2024-38106, a vulnerability in the Windows kernel. This allowed the rootkit to execute within memory, employing direct kernel object manipulation (DKOM) techniques to disrupt kernel security mechanisms. The attack chain was sophisticated, involving multiple zero-day vulnerabilities to achieve and maintain control over the targeted systems.
The exploitation of CVE-2024-7971 by Citrine Sleet poses a significant threat to financial institutions, particularly those involved in cryptocurrency transactions. The potential consequences include unauthorized access to cryptocurrency assets, economic loss, and the compromise of sensitive financial data. Using the FudModule rootkit, which allows for deep kernel-level manipulation, further increases the difficulty of detection and remediation, making the attack particularly dangerous for affected organizations.
Insights and Analysis
Microsoft’s analysis indicates that Citrine Sleet is likely to continue targeting vulnerabilities within cryptocurrency technology firms and exchanges, aligning with the broader objectives of North Korean state-sponsored cyber operations. The use of shared infrastructure and tools between Citrine Sleet and Diamond Sleet suggests a coordinated effort within the North Korean cyber apparatus to maximize the impact of these operations.
To mitigate the threat posed by Citrine Sleet, Microsoft recommends the following actions:
- Ensure all systems are updated with the latest security patches, particularly Chromium and Windows.
- Implement robust endpoint detection and response (EDR) solutions to detect and block malicious activities post-compromise.
- Enable tamper protection and network protection within Microsoft Defender for Endpoint.
- Strengthen configuration settings to limit exposure to vulnerabilities and enhance overall security posture.
The exploitation of CVE-2024-7971 by Citrine Sleet underscores the persistent threat posed by state-sponsored cyber actors targeting the financial sector. Organizations involved in cryptocurrency should remain vigilant, ensure systems are updated, and employ advanced security solutions to detect and mitigate such sophisticated attacks. The continued collaboration between cybersecurity vendors and threat intelligence teams is crucial in addressing and preventing the evolving tactics employed by threat actors like Citrine Sleet.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| voyagorclub[.]space | Domain | Domain used by Citrine Sleet to deliver the RCE exploit for CVE-2024-7971. |
| weinsteinfrog[.]com | Domain | Domain associated with Citrine Sleet activity observed during the exploitation of CVE-2024-7971. |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | Exploitation for Client Execution | T1203 | Citrine Sleet used CVE-2024-7971 to execute code within the Chromium renderer process. |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | The attack included a sandbox escape (CVE-2024-38106) to gain higher privileges. |
| Defense Evasion | Rootkit | T1014 | FudModule rootkit used to manipulate kernel security mechanisms and evade detection. |
| Defense Evasion | Exploitation for Defense Evasion | T1211 | Exploitation of vulnerabilities to bypass security features and remain undetected. |
| Initial Access | Drive-by Compromise | T1189 | Victims were directed to a malicious domain where the exploit was delivered. |
References
Comments ()