Chrome Zero-Day Exploited by North Korean Hackers to Launch Rootkit

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Chrome Zero-Day Exploited by North Korean Hackers to Launch Rootkit

North Korean hackers, identified as Citrine Sleet, have exploited a recently patched Google Chrome zero-day vulnerability (CVE-2024-7971) to deploy the FudModule rootkit after gaining SYSTEM privileges through a Windows Kernel exploit (CVE-2024-38106). According to researchers, this threat actor targets the cryptocurrency sector for financial gain, using sophisticated techniques such as creating counterfeit websites that mimic legitimate trading platforms and distributing fake job applications or weaponized cryptocurrency wallets. The FudModule rootkit, used by both Citrine Sleet and another North Korean group, Diamond Sleet, facilitates kernel tampering and direct kernel object manipulation (DKOM), allowing attackers to bypass security mechanisms.

Citrine Sleet, linked to North Korea’s Bureau 121, employs social engineering and reconnaissance strategies to compromise key players in the cryptocurrency sector. The CVE-2024-7971 vulnerability was a type of confusion flaw in Chrome’s V8 JavaScript engine, allowing remote code execution within the Chromium renderer. Following this, attackers escalated privileges using CVE-2024-38106, a Windows Kernel flaw, enabling the deployment of the rootkit.

Recommendations to mitigate this threat include ensuring Google Chrome is updated to version 128.0.6613.84 or later, and Microsoft Edge to version 128.0.2739.42 or later, regularly updating operating systems and applications, especially for critical vulnerabilities like CVE-2024-38106, implementing security tools that provide unified visibility across the cyberattack chain, detecting and blocking malicious activities post-compromise. These steps are essential to mitigate such advanced threats.

2. Voldemort Malware Exploits Google Sheets for Espionage in Sophisticated Attack

Cybersecurity experts have identified a new malware campaign using Google Sheets as a command-and-control (C2) platform, targeting over 70 organizations globally in sectors like insurance, finance, healthcare, government, and more. The attackers impersonate tax authorities from Europe, Asia, and the U.S., using a custom tool named Voldemort to collect data and deploy additional payloads.

Attackers craft phishing emails that mimic national tax authorities, leading victims to malicious landing pages hosted on InfinityFree with Google AMP Cache URLs. If accessed via a Windows browser, victims are redirected to a search-ms URI, leading to a LNK or ZIP file disguised as a PDF hosted on a WebDAV/SMB share. Opening this file executes a Python script that profiles the victim’s system while displaying a decoy PDF. The script also downloads a legitimate Cisco WebEx executable and a malicious DLL, resulting in the deployment of Voldemort via DLL side-loading.

Voldemort, a C-based backdoor, uses Google Sheets as its C2 server, sending stolen data to specific spreadsheet cells and receiving commands through Google’s API, making it highly resilient and stealthy. The use of Google Sheets in enterprise environments enhances its evasion capabilities by blending with legitimate traffic.

To counter this threat, organizations should strengthen email security with advanced filtering to block phishing emails, monitor network traffic for unusual connections to cloud services like Google Sheets, and restrict the execution of macros, scripts, and protocols like search-ms that can be exploited by malware. These measures are critical to defending against such sophisticated attacks.

3. New Cicada Ransomware Variant Targets Linux-Based VMware ESXi Servers

A ransomware-as-a-service (RaaS) operation is impersonating the legitimate Cicada 3301 organization, with 19 victims listed on its extortion site. The new ransomware variant, Cicada3301, emerged in June 2024 and targets vulnerabilities in small to medium-sized businesses (SMBs). Written in Rust, it operates on both Windows and Linux/ESXi platforms, making it highly versatile. Cicada3301 uses advanced techniques similar to BlackCat, such as ChaCha20 encryption and system utilities like fsutil, IISReset.exe, and wevtutil to disrupt recovery processes and erase traces of its activity. It also employs PsExec for remote command execution and terminates processes related to backup and recovery, hindering data restoration. The ransomware targets 35 file extensions, including sql, doc, xls, and pdf, to encrypt valuable enterprise data. Additionally, it exploits vulnerabilities in signed drivers using EDR SandBlast, a tactic previously used by BlackByte, to evade endpoint detection and response (EDR) systems.

To mitigate the threat, it is critical to regularly update systems and software to patch vulnerabilities, utilize advanced endpoint protection solutions to detect and block ransomware behaviors, and maintain frequent backups of critical data while testing recovery processes to ensure effectiveness against ransomware attacks. Immediate implementation of these measures is recommended to defend against this evolving threat.

4. Malware Disguised as Palo Alto GlobalProtect VPN Targets Middle Eastern Users

Cybersecurity researchers have uncovered a sophisticated malware campaign targeting users in the Middle East by masquerading as the Palo Alto Networks GlobalProtect VPN tool. The malware executes remote PowerShell commands, exfiltrates data, encrypts communications, and evades detection by mimicking legitimate VPN traffic.

The campaign operates through a two-stage process starting with installing the primary backdoor, GlobalProtect.exe. Once deployed, the backdoor communicates with a command-and-control (C2) server, signaling the attackers and exfiltrating system details such as IP address, OS, username, and machine name via configuration files RTime.conf and ApProcessId.conf. The malware uses evasion techniques like setup.exe binary checking specific file paths before execution and conducting beaconing through the Interactsh open-source project. The C2 server’s URL is crafted to resemble a legitimate VPN portal of a company in Sharjah, U.A.E., blending the malware’s activity with normal network traffic to enhance stealth.

To defend against this threat, it is crucial to educate users on phishing risks and verify the authenticity of software downloads, especially for security tools like VPNs. Implement advanced endpoint protection solutions that can detect and mitigate sophisticated threats, such as remote PowerShell command execution. Additionally, segment critical network assets to limit malware’s lateral movement and continuously monitor network traffic for unusual activities, particularly connections to unfamiliar VPN portals or C2 servers. Keeping software up-to-date and restricting access to unnecessary services will further reduce potential vulnerabilities.

5. Veeam Patches 18 Vulnerabilities, Including 5 Critical Flaws

Veeam has released security updates to address 18 vulnerabilities across its software products, including five critical flaws that could lead to remote code execution, and 13 high-severity issues involving privilege escalation and MFA bypass. The critical vulnerabilities include CVE-2024-40711 in Veeam Backup & Replication, which allows remote code execution without authentication, CVE-2024-42024 in Veeam ONE that enables remote code execution using Agent service account credentials, CVE-2024-42019 in Veeam ONE that exposes the NTLM hash of the Veeam Reporter Service account, CVE-2024-38650 in Veeam Service Provider Console (VPSC) allowing attackers to retrieve the service account’s NTLM hash, and CVE-2024-39714 in VPSC that lets low-privileged users upload arbitrary files, leading to remote code execution.

Vulnerable versions include Veeam Backup & Replication 12.2, Veeam Agent for Linux 6.2, Veeam ONE v12.2, Veeam Service Provider Console v8.1, Veeam Backup for Nutanix AHV Plug-In v12.6.0.632, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299.

It is crucial to update all affected Veeam products to the latest patched versions, regularly review and apply security patches promptly, and enable additional monitoring to detect any suspicious activities involving privilege escalation or unauthorized access. Immediate action is recommended to prevent exploitation of these vulnerabilities.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.