Key Takeaways:
Cybersecurity researchers have issued a security advisory about a new supply chain campaign that allowed the North Korea-backed hacking group APT37 to compromise Windows devices this summer. This threat actor exploited a zero-day vulnerability in Internet Explorer to deploy the RokRAT malware, allowing them to exfiltrate sensitive data.
Microsoft officially dropped support for Internet Explorer 11 back in June 2022. Most organizations have already transitioned to modern web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox. However, some legacy applications still rely on Internet Explorer and might not work in new web browsers.
According to the AhnLab Security Intelligence Center (ASEC), the hackers exploited a Toast pop-up ad commonly bundled with free software tools. Toasts are pop-up notifications that appear on the screen for a short duration.
Specifically, the state-sponsored hacking group targeted a domestic advertisement agency and exploited the CVE-2024-38178 vulnerability to display specially crafted Toast ads on users’ computers. Instead of legitimate advertisements, the Toast script started the deployment of the RokRAT malware that allowed hackers to steal data from their victims.
“They then injected vulnerability code into the server’s ad content script. This vulnerability is exploited when the ad program downloads and renders the ad content. As a result, a zero-click attack occurred without any interaction from the user,” the AhnLab researchers explained.
AhnLab and the National Cyber Security Centre (NCSC) were the first to discover and report the Internet Explorer vulnerability to Microsoft. In response, Microsoft released the August 2023 Patch Tuesday updates to fix the zero-day flaw in affected systems. However, the continued reliance on Internet Explorer components in other software still poses significant security risks.
It’s highly recommended that organizations ensure that their systems are always up-to-date with the latest security fixes to protect against cyberattacks and other threats. Furthermore, software vendors should avoid using libraries and modules that have known security risks when developing their products.