DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Summary:
In a recent cyberattack, the North Korea-backed advanced persistent threat (APT) group known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer (IE) web browser to launch a zero-click supply chain campaign targeting South Korean entities. The attack leveraged a Toast ad program, commonly bundled with free software, to deliver malicious malware to unsuspecting victims. The vulnerability, identified as CVE-2024-38178, was exploited when the ad program downloaded and rendered ad content, allowing the attackers to inject malicious code into the Toast script and deliver the RokRAT malware. This malware enabled the attackers to execute remote commands, maintain persistence on infected systems, and conduct command and control operations through a commercial cloud server. While IE reached end of life in 2022, its continued use as a built-in component or related module within other applications remains a concerning attack vector for hackers.

Security Officer Comments:
The APT37 attack demonstrates the ongoing threat posed by state-sponsored cyber actors. The group's use of a zero-day vulnerability in a widely used software component underscores the importance of proactive vulnerability management and timely patching. Additionally, the attack highlights the risks associated with legacy software, even after reaching end of life. Organizations should carefully assess their software inventory and prioritize the migration of outdated applications to more secure alternatives. The use of a supply chain attack vector, targeting a widely distributed ad program, demonstrates the attackers' sophistication and their ability to leverage unexpected attack surfaces. This incident serves as a reminder that organizations must be vigilant about securing their entire software supply chain, including third-party components and dependencies.

Suggested Corrections:
TruStar IOCs: AhnLab and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178)

NIST suggests eight key practices for establishing a NIST C-SCRM (Cyber Supply Chain Risk Management) approach that can be applied to software.
  1. Integrate C-SCRM across the organization.
  2. Establish a formal C-SCRM program.
  3. Know and manage critical components and suppliers.
  4. Understand the organization’s supply chain. software for which a vulnerability is disclosed
  5. Closely collaborate with key suppliers.
  6. Include key suppliers in resilience and improvement activities.
  7. Assess and monitor throughout the supplier relationship.
  8. Plan for the full lifecycle.
These practices can assist in preventing, mitigating, and responding to software vulnerabilities that may be introduced through the cyber supply chain and exploited by malicious actors.

https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf

Link(s):
https://www.darkreading.com/vulnerabilities-threats/dprk-microsoft-zero-day-no-click-toast-attacks

https://asec.ahnlab.com/en/83877/