Chrome is under attack, with Google warning that two-separate vulnerabilities are being actively exploited and the U.S. government ordering all federal employees to update their browsers within 21-days. Microsoft—which discovered and disclosed the first of these vulnerabilities—has just gone even further, recommending that users should be “encouraged” to quit Chrome and use a different browser instead.
First to those two active exploits and the ongoing attacks. Google issued a Chrome update on August 21, patching a raft of vulnerabilities and warning that CVE-2024-7971 was under active exploitation. Then on August 26, Google updated its advisory to warn that a second vulnerability—CVE-2024-7965—had also come under attack post the initial warning notice. CISA added the two threats to its Known Exploited Vulnerability (KEV) catalog, mandating Chrome updates by mid-September.
Microsoft’s security team discovered and disclosed the first of the two vulnerabilities, and has just issued a report, warning the known exploitation relates to crypto thefts, attributing “with high confidence” those attacks to a North Korean threat actor.
According to Microsoft, the threat actor behind the CVE-2024-7971 attacks is Citrine Sleet, which “primarily targets financial institutions… and individuals managing cryptocurrency, for financial gain.” Microsoft warns that Citrine Sleet “creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications.”
While Microsoft clearly recommends keeping Chrome, Edge and other Chromium browsers updated, it also says that protecting against such exploits “necessitates not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain.” It advises “encourag[ing] users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.”
Microsoft is firmly of the view that Edge is more secure than Chrome, and is more likely to protect its enterprise and home users from malware. We know this because Microsoft has been repeatedly criticized for its controversial Edge ads targeting new Windows installs, that are seemingly intensified when Chrome is the default browser.
While there is a case for Edge over Chrome with regards to malware protection, it feels somewhat askew for a Microsoft product that competes with Chrome to be recommended in a security advisory for a CVE disclosed by Microsoft, now riding a wave of Chrome generated publicity. Chrome dominates the desktop browser market, with more than four-times the number of Edge users worldwide.
What it does do is shift the narrative from the vulnerability—or more realistically, the chain of multiple vulnerabilities in an attack—to the initial phishing lure. Microsoft is saying it’s more likely to block the source. And while Google is pushing hard to make up ground with its own Safe Browsing, it has some catching up to do.
Where before, Safe Browsing “used a list stored on your device to check if a site or file was known to be potentially dangerous… updated every 30 to 60 minutes,” Google says it found “that the average malicious site actually exists for less than 10 minutes.” And so now it will “will check sites against Google’s server-side list of known bad sites in real time… we expect to block 25% more phishing attempts.”
Google has been relatively ambivalent about Microsoft’s blatant push for users to ditch Chrome for Edge in the past, buoyed by the sheer resilience of its Chrome’s install base. This appeal to an enterprise CISO to focus on the browsers in use to better defend an enterprise network plays to that more joined-up, “unified” approach.
As for Citrine Sleet and the specifics here. The threat actor has likely links to North Korea’s nation-state cyber capabilities, which is unsurprising given the country’s focused efforts on crypto hacking. This should be viewed as a serious threat, and in a world where exploits are multi-purposed and swap hands, that threat can quickly expand beyond theft into ransomware or purer espionage.
Whether you decide to shift from Chrome to Edge, just make sure you update; this latest threat impacts both.