The North Korean hackers, named Citrine Sleet, had successfully leveraged a critical zero-day in the Chromium browser to attack crypto financial institutions. According to Microsoft, this malware group had attacked several financial institutions and crypto entities by creating fake crypto trading sites that convinced victims to download malicious software. Their main tool of attack was the AppleJeus trojan, which was for stealing digital assets.
Exploiting CVE-2024-7971 – A Critical Vulnerability in Chromium
It was a case of a confusion vulnerability in Chromium’s V8 JavaScript engine, tracked as CVE-2024-7971. The bug allowed attackers to bypass the security features of the browser and execute remote code inside its sandbox, taking over infected systems. The zero-day vulnerability was detected by Microsoft on August 19 and was a high-risk weakness, especially for the crypto industry, which lately has turned into a gold mine for cybercriminals.
Of course, Google was in no way behind the reaction to this threat; on August 21, it released a patch just two days after the attack was identified. Also listed among the popular browsers hit were Google Chrome and Microsoft Edge, desktop browsers built on the Chromium platform.
Deployment of FudModule Rootkit
Apart from the CVE-2024-7971 vulnerability, Citrine Sleet dispersed an advanced rootkit malware component named FudModule, which manipulates Windows security and makes it even harder to detect and delete. According to Microsoft’s analysis, this is a rootkit that has previously been attributed to Diamond Sleet, another North Korean hacker group, which suggests the sharing of advanced cyber tools across North Korean threat actors.
The usage of FudModule by Diamond Sleet has been traced back to October 2021, which further denotes the longevity of such cyber campaigns and the extended threat they thus pose towards global financial systems.
Broader Implications: Other North Korean Cyber Operations
This hack of crypto institutions fits into a larger scale pattern of cyber operations attributed to North Korea. On August 15, a cybersecurity researcher going by the handle of ZachXBT unearthed another plot concerning North Korean IT workers impersonating crypto developers, which later led to the hacking of $1.3 million from the treasury of a project and compromises above 25 crypto projects.
A portion of the siphoned money was laundered through a complex web of transactions involving bridging assets from Solana to Ethereum and depositing them into Tornado Cash, one of the most notorious cryptocurrency mixers. The transactions were traced from this to a network of 21 developers, all connected to North Korean IT workers.
Crypto Sector at Higher Risk
As sophisticated threat actors take advantage of vulnerabilities in commonly used software, the crypto sector, already targeted by cyberattacks, will be increasingly at risk. Microsoft strongly advises users and organizations to immediately update their systems, employ secure web browsers with the latest updates, and enable active security features like Microsoft Defender, among others, to prevent such threats from rising.
Continuous attempts by North Korean hackers to infiltrate and exploit the crypto industry point out acute needs for close-up cybersecurity and international cooperation in combating these sophisticated cyber threats.
