North Korea: Stealing Crypto Through Zero-Day

Executive Summary

On Wednesday, October 23, 2024, the Russian cybersecurity company Kaspersky unveiled an update on a North Korean APT group nicknamed ‘Lazarus’ that has been accused of using a zero-day exploit on Google Chrome to steal cryptocurrency through a malicious website [4]. According to Kaspersky, since February this year the trojan website “detankzone[.]com” was aimed at and advertised to individuals in the cryptocurrency sector as a game where players could use NFT tanks to compete against each other [5]. By simply visiting the website the web browser would run a hidden script inside of the code which would then take steps to scan the victim’s PC with shellcode [5]. From here, the attackers would gain information on the compromised computer and determine if the contents were worth any post-exploitation actions [5]. 

The exploit included two vulnerabilities: CVE-2024-4947 (a type confusion error that allows remote attackers to execute arbitrary code inside a sandbox via a crafted HTML page) and a V8 Sandbox Bypass which essentially involved manipulating memory and incompatible types within the sandbox in order to access out-of-bounds memory to either cause a crash or, in this case, execute arbitrary code [6]. After Google was made aware of the vulnerabilities, CVE-2024-4947 and the V8 Sandbox Bypass were patched in May and March respectively [6]. 

At the time the V8 Sandbox Bypass was found and patched, the V8 Sandbox was not considered a security boundary to Google and therefore was labeled as a bug instead of a vulnerability [1]. Since April 2024, this has been properly changed as Google now includes the V8 Sandbox in its Vulnerability Rewards Program (VRP) [2]. After realizing the V8 Sandbox Bypass was a vulnerability, the bug’s case was reopened to properly assign a CVE, yet as of writing no follow-up has been published [1]. 

Background

North Korea is widely considered a major player in transnational crimes such as drug trafficking, counterfeiting, smuggling, money laundering, weapons trafficking, human trafficking, and terrorism [3]. Ever since the fall of the Soviet Union in the 1990s, North Korea has struggled to find the funds needed to support its developing military and chronically unstable civilian economy. Famines, poverty, and corruption are all commonplace in the nation due to many different factors which make funds almost impossible to obtain without seeking external sources of revenue for the state. Due to this, North Korea has resorted to crime, slave labor, and the export of skilled labor to unwitting Western companies to pay for government programs. While it is atypical for other APTs to attack common individuals to primarily steal personal funds, it is important to understand that for North Korea the obtainment of money by any means is the end goal, as seen in this most recent attack perpetrated by Lazarus. 

Impact

So far the impact of this attack has been minimal with the website quarantined by Google and the vulnerabilities patched [6]. No nation-states, major organizations, or companies have announced that they have been affected; however, an unknown number of individuals seem to be the only ones compromised. Due to the fact that cryptocurrency is notoriously volatile in value, especially over the course of a year, it is difficult to say just how much money was stolen and if these funds could ever be returned to their owners. Kaspersky noted, while researching this attack, that the original developers of a legitimate crypto game, whose assets were stolen to create the APT’s trojan, had $20,000 stolen from their online crypto wallets [6]. Currently, this issue remains unresolved and it is uncertain if this has any correlation to the attack by Lazarus.

Significance

Attacks by North Korean APTs show that nothing can be considered off the table when it comes to nation-sponsored cyber threats. From strategically important state infrastructure to the average person’s bank account, APT targets now come in all shapes and sizes. While other APTs may not consider the average person as the primary target, it should be noted that as situations change and as geopolitical objectives and opportunities present themselves, nation-state threats could find themselves in the market of petty internet theft. Compromising the average person may just be the entry point APTs need to infiltrate private organizations and attack more influential national targets. In order to protect oneself from a majority of threats on the internet it is important to practice good cyber hygiene. Do not visit suspicious websites, especially those that promise monetary gain; do not download suspicious files; do not voluntarily give out personally identifiable information; and always have a complex and secure password that follows well-accepted standards. 

References

[1] Chromium Contributors, “V8 Sandbox escape via regexp,” 2024 https://issues.chromium.org/issues/330404819 

[2] Groß S., “The V8 Sandbox,” 2024 https://v8.dev/blog/sandbox 

[3] Hill B., “The State as a Transnational Criminal Organization,” 2023 https://media.defense.gov/2023/Feb/02/2003154183/-1/-1/1/06%20HILL_FEATURE.PDF 

[4] Kaspersky, “Lazarus APT exploited zero-day vulnerability in Chrome to steal cryptocurrency,” 2024 https://www.kaspersky.com/about/press-releases/lazarus-apt-exploited-zero-day-vulnerability-in-chrome-to-steal-cryptocurrency 

[5] Lakshmanan R., “Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices,” 2024 https://thehackernews.com/2024/10/lazarus-group-exploits-google-chrome.html 

[6] Larin B. & Berdnikov V., “The Crypto Game of Lazarus APT: Investors vs Zero-days,” 2024 https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/