Ethical Hacking News
In a recent attack, North Korea-linked APT37 exploited an Internet Explorer zero-day vulnerability in a supply chain attack, compromising the online advertising agency behind the Toast ad program. This breach serves as a stark reminder of the ever-evolving landscape of cyber threats and highlights the importance of vigilance in the face of emerging vulnerabilities.
A North Korea-linked group, APT37 (RedEyes, TA-RedAnt, Reaper, ScarCruft, and Group123), exploited a recent Internet Explorer zero-day vulnerability in a supply chain attack. The vulnerability, CVE-2024-38178, has a CVSS score of 7.5 and can lead to arbitrary code execution due to a scripting engine memory corruption issue. APT37 targeted a Korean online advertising agency server by injecting vulnerability code into ad content scripts, resulting in a zero-click attack that required no user interaction. Experts emphasize the importance of organizations and users remaining vigilant and updating their systems with the latest security patches despite Microsoft's official end of support for Internet Explorer. APT37's extensive track record includes targeted attacks against government, defense, military, and media organizations in South Korea, dating back to at least 2012.
Cybersecurity experts have been left reeling as a North Korea-linked group, APT37 (also known as RedEyes, TA-RedAnt, Reaper, ScarCruft, and Group123), successfully exploited a recent Internet Explorer zero-day vulnerability in a supply chain attack. The breach, which has garnered significant attention from security professionals, serves as a stark reminder of the ever-evolving landscape of cyber threats.
According to reports published by threat intelligence firm AhnLab and South Korea's National Cyber Security Center (NCSC), APT37 exploited the CVE-2024-38178 Internet Explorer zero-day vulnerability, which boasts a CVSS score of 7.5. This particularly concerning vulnerability is attributed to a scripting engine memory corruption issue that could lead to arbitrary code execution. The attack in question required an authenticated client to click a link for an unauthenticated attacker to initiate remote code execution.
AhnLab's research highlights the extent of APT37's involvement in this supply chain attack, which targeted a Korean online advertising agency server. In this operation, APT37 injected vulnerability code into ad content scripts, leading to a zero-click attack that required no user interaction whatsoever. The malicious payload was automatically downloaded and rendered by the Toast ad program, leveraging an outdated IE-based WebView for initial access in the supply chain.
Experts have noted that despite Microsoft's official end of support for Internet Explorer in June 2022, the vulnerability still impacted certain Windows applications. This has led researchers to emphasize the importance of organizations and users remaining vigilant and updating their systems with the latest security patches.
The root cause of this vulnerability is attributed to the erroneous treatment of a type of data during the optimization process of IE's JavaScript engine (jscript9.dll), allowing for type confusion to occur. APT37 exploited this flaw to trick victims into downloading malware on their desktops via the Toast ad program installed. Once infected, attackers could carry out multiple malicious activities such as executing remote commands.
This breach is particularly noteworthy given APT37's extensive track record in carrying out targeted attacks against government, defense, military, and media organizations in South Korea. The group has been active since at least 2012 and gained prominence in February 2028 after leveraging a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.
In December 2022, APT37 actively exploited another Internet Explorer zero-day vulnerability (CVE-2022-41128) in attacks aimed at South Korean users. This zero-day vulnerability was discovered by Google Threat Analysis Group researchers in late October 2022 and was exploited by APT37 using specially crafted documents.
The involvement of North Korea as the originator of this threat actor has long been established, with FireEye researchers first linking APT37 to the North Korean government in February 2018 based on clues including the use of a North Korean IP address, malware compilation timestamps consistent with a developer operating in the North Korea timezone, and objectives aligning with Pyongyang's interests.
The attack conducted by APT37 not only highlights the threat posed by state-sponsored actors but also underscores the importance of vigilance in the face of emerging vulnerabilities. As security professionals continue to navigate this complex web of threats, it is crucial that organizations prioritize proactive measures to protect themselves against such supply chain attacks.
Related Information:
https://securityaffairs.com/169983/apt/north-korea-apt37-ie-zero-day.html
https://nvd.nist.gov/vuln/detail/CVE-2024-38178
https://www.cvedetails.com/cve/CVE-2024-38178/
https://nvd.nist.gov/vuln/detail/CVE-2022-41128
https://www.cvedetails.com/cve/CVE-2022-41128/
https://asec.ahnlab.com/en/83877/
https://gigazine.net/gsc_news/en/20241018-internet-explorer-zero-day-malware
https://attack.mitre.org/groups/G0067/
https://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/
Published: Sat Oct 19 09:59:36 2024 by llama3.2 3B Q4_K_M
