Lazarus Group Leverages Google Chrome Vulnerability to Take Control of Compromised Devices

Oct 24, 2024
Vulnerability / Cyber Attack

The Lazarus Group, a North Korean cyber threat actor, has been linked to the exploitation of a zero-day vulnerability in Google Chrome, allowing them to control infected devices. Cybersecurity firm Kaspersky reported this discovery, which stemmed from a new attack chain identified in May 2024. The attack targeted the personal computer of an unnamed Russian individual using the Manuscrypt backdoor. This involved triggering the zero-day exploit simply by visiting a counterfeit gaming website, “detankzone[.]com,” which aimed at cryptocurrency users. It is believed this campaign began in February 2024. Kaspersky researchers Boris Larin and Vasily Berdnikov noted that the website masqueraded as a professionally designed page for a decentralized finance (DeFi) NFT-based multiplayer online battle arena (MOBA) tank game, enticing users to download a trial version. However, this was merely a façade.

Lazarus Group Exploits Google Chrome Vulnerability to Compromise Targeted Devices

On October 24, 2024, cybersecurity experts revealed that the Lazarus Group, a notorious North Korean cyber threat actor, has exploited a recently patched zero-day vulnerability in Google Chrome to gain control over infected devices. The findings were reported by Kaspersky, a prominent cybersecurity firm, which identified this advanced attack chain in May 2024, aimed specifically at a personal computer owned by an unnamed Russian individual.

The campaign reportedly began in February 2024 and primarily targeted users within the cryptocurrency sector. It leveraged a compromised website masquerading as a legitimate game platform, specifically “detankzone[.]com.” Kaspersky researchers, Boris Larin and Vasily Berdnikov, indicated that the site was designed to appear as a well-crafted product page for a decentralized finance (DeFi) multiplayer online battle arena game centered on non-fungible tokens (NFTs). Users were enticed to download a trial version of the game, unwittingly exposing themselves to the exploit.

This attack exemplifies a sophisticated technique in initial access, aligning with the MITRE ATT&CK framework. Upon a simple visit to the malicious site, users triggered the zero-day exploit that allowed the attackers to deploy the Manuscrypt backdoor. This mechanism is notable not just for its subtlety but also for its capacity to achieve persistence and enable later access to the compromised systems.

Lazarus Group is known for their strategic targeting, often selecting individuals or sectors that may yield lucrative payoffs. In this case, the cryptocurrency-focused demographic likely provided an appealing target due to the prevalence of high-value transactions and investments prevalent in that sector.

The technical execution of this attack reflects a well-planned approach, involving privilege escalation and stealthy persistence strategies. The website’s facade effectively obscured the malicious intent, allowing attackers to bypass typical scrutiny by potential victims.

In the wake of such incidents, it is imperative for business owners to stay vigilant about the cybersecurity landscape. Adopting robust security measures and maintaining updated software can help mitigate the risks associated with zero-day vulnerabilities and similar exploits. Regular employee training on identifying potential phishing attempts and malicious websites can also be a vital line of defense against such targeted cyber threats.

As the cybersecurity threat landscape continues to evolve, maintaining awareness of the tactics employed by groups like Lazarus is essential. Their ability to exploit emerging vulnerabilities underscores the importance of proactive cybersecurity strategies in safeguarding organizational assets and sensitive data.

Source link

Related Posts

Russian RomCom Group Targets Ukrainian Government with New SingleCamper RAT Variant

October 17, 2024
Threat Intelligence / Malware

The Russian threat actor RomCom has been linked to a surge of cyberattacks against Ukrainian government agencies and undisclosed Polish entities since late 2023. These intrusions utilize a new variant of the RomCom RAT, referred to as SingleCamper (also known as SnipBot or RomCom 5.0), according to Cisco Talos, which is monitoring this activity cluster under the designation UAT-5647. “This version is loaded directly from the registry into memory and communicates with its loader via a loopback address,” explained security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura. RomCom, also tracked as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has engaged in multi-faceted operations including ransomware, extortion, and targeted credential harvesting since its emergence in 2022. Recent assessments indicate that the frequency of their attacks has ramped up in recent months with the goal of establishing long-term persistent access.

Crypt Ghouls Target Russian Businesses with LockBit 3.0 and Babuk Ransomware Attacks

October 19, 2024
Network Security / Data Breach

A newly emerging threat group known as Crypt Ghouls has been identified in a series of cyberattacks aimed at Russian firms and government agencies. Their operations feature ransomware as a primary tool, focusing on disrupting business activities while reaping financial benefits. According to Kaspersky, “The group utilizes an arsenal of tools including Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, among others.” The primary ransomware employed in these attacks includes the notorious LockBit 3.0 and Babuk variants. Victims encompass various sectors, including government, mining, energy, finance, and retail throughout Russia. Kaspersky noted that they were able to identify the initial breach method in only two cases, where the attackers exploited a contractor’s VPN credentials to gain access to internal systems. These VPN connections reportedly came from IP addresses linked to a Russian hosting provider.