A North Korean hacker group called Citrine Sleet has been using an undisclosed vulnerability in Google's Chrome browser to pilfer cryptocurrency. According to Microsoft's cybersecurity team, these breaches, which commenced on August 19, have been aimed at financial institutions and cryptocurrency-related targets.
Issue in Chromium Core Engine
The uncovered flaw resides in the core engine of Chromium, the framework behind browsers like Chrome and Microsoft Edge. The zero-day vulnerability, initially undetected by Google, was exploited by the hackers until Google issued a patch on August 21, spokesperson Scott Westover told TechCrunch.
The group utilizes sophisticated techniques such as social engineering and malware. Microsoft says the group creates counterfeit websites resembling genuine cryptocurrency trading platforms to bait victims. Once these sites are accessed, another vulnerability in the Windows kernel is exploited to deploy a rootkit, providing extensive system access.
Malware and Data Extraction
The rootkit ensures ongoing access to the compromised machines, complicating detection and removal processes. Citrine Sleet employs custom trojan malware dubbed AppleJeus to extract information necessary for taking control of cryptocurrency assets. The malware is often disguised within fake job applications or tainted cryptocurrency wallets and trading applications.
As per the United Nations Security Council, North Korea has illicitly obtained $3 billion in cryptocurrency from 2017 to 2023. Facing stringent international sanctions, the regime resorts to cyber theft to support its nuclear weapons project. The Chrome zero-day exploitation underscores the persistent risks posed by state-sponsored hacking entities to global financial stability and the cryptocurrency sector.
Microsoft's Actions
Microsoft has informed impacted customers but has not revealed the number of entities targeted or compromised. The report highlights the necessity for enhanced threat detection systems, given that traditional antivirus programs may not detect the rootkit used in these breaches.
Google quickly addressed the zero-day vulnerability by issuing a patch on August 21. The quick response highlights the critical importance of updating security patches promptly to maintain robust cybersecurity.