On August 19th, 2024, the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported a zero-day flaw in Google Chrome within the V8 JavaScript and WebAssembly engine. This find brings the year-to-date total to 10 zero-day vulnerabilities in Google Chrome. The vulnerability, assigned with the ID CVE-2024-7971, is a type confusion flaw, which can lead to a remote code execution. CVE-2024-7971 is already being exploited in the wild, emphasizing how urgent it is to act and protect yourself against this vulnerability.
Google published an advisory containing the flaw two days after Microsoft’s report. Five days after its vendor publication, the vulnerability was added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. NIST’s National Vulnerability Database (NVD) included it in its catalog on the day of its publication.
The Vulnerability
This zero-day flaw is classified as high severity, receiving a CVSS v3 score of 8.8. Together with CVE-2024-4947 and CVE-2024-5274, it is a third actively exploited type confusion bug that has been found and patched in V8. Type confusion flaws provide the attackers with the ability to run malicious code on a victim’s machine, which may result in malware installation, illegal access, or data theft.
This flaw requires user interaction for a successful exploitation. A manipulated HTML page can be used by a remote attacker to exploit heap corruption, which eventually leads to remote code execution in the sandboxed Chromium renderer process. To mitigate any potential threats, users are advised to upgrade to version 128.0.6613.84 or higher.
Since Google Chrome updates itself automatically when new security patches are released, they did not publish any additional details on the attacks exploiting the vulnerability and are keeping the bug links restricted until most users are updated with a fix. The bug bounty for Microsoft Threat Intelligence Center (MSTIC) for reporting the flaw has yet to be determined.
Nonetheless, if users want to accelerate the protection process, they can manually push the update by going into the Chrome menu and relaunching their browser with the security patch installed. Additionally, by implementing extra security measures, including network segmentation and sandboxing, the risks associated with this and other vulnerabilities can be reduced.
The Attacks
Microsoft discovered a threat actor exploiting a vulnerability in Chromium two days before it was published by Google and assigned a CVE ID. Exploitation of CVE-2024-7971 can be described as an “exploit chain” where multiple components are involved to successfully compromise a target. If any of these components is not available, the entire attack chain fails.
The exploitation can be traced to Citrine Sleet, a North Korean hacking group. The exploitation was conducted to deploy the FudModule rootkit and compromise systems via a Windows Kernel exploit (disclosed in the CVE-2024-38106) that allowed them to gain system privileges. After successfully loading the FudModule rootkit into the memory, kernel tampering and direct kernel object manipulation (DKOM) were performed to bypass kernel security mechanisms. Citrine Sleet usually targets vulnerabilities that apply to the cryptocurrency, gaming companies, and exchanges sector for fraudulent financial gains. That was the case for CVE-2024-7971 as well. One of the companies targeted by this exploit has been previously attacked by Sapphire Sleet (or BlueNoroff, another North Korean threat actor.)
In addition to updating systems, zero-day exploits require security solutions that offer unified visibility throughout the cyberattack chain to identify and stop malicious behavior and post-compromise attacker tools after being exploited.