A large-scale cyberattack by the North Korean hacking group ScarCruft (also known as APT37 or RedEyes) occurred in May 2024. They exploited a zero-day vulnerability in Internet Explorer, tracked as CVE-2024-38178, to infect targets with the RokRAT malware. Despite Internet Explorer being officially retired, its components still exist in Windows and third-party software, making it a target for hackers.

ScarCruft compromised a South Korean online advertising agency's server to push malicious "Toast ads" on free software used by many South Koreans. These ads included a malicious iframe that triggered remote code execution via the Internet Explorer flaw. The RokRAT malware exfiltrated files, performed keylogging, monitored clipboard changes, and captured screenshots.

Microsoft patched the vulnerability in August 2024.

Source: https://www.bleepingcomputer.com/news/security/malicious-ads-exploited-internet-explorer-zero-day-to-drop-malware/

Commentary

The North Koreans targeted South Koreans, but the article provides important lessons to all organizations, no matter location, about using software that is outdated or unsupported. 

• Unsupported software no longer receives security updates, making it vulnerable to new exploits and attacks. In this case, the Internet Explorer vulnerability allowed hackers to execute remote code and spread malware.
• Operational Inefficiencies: Unsupported software may not be compatible with newer systems and applications, leading to operational inefficiencies, increased maintenance costs and security lapses
• As seen in the above source, outdated software can be a gateway for cyber-espionage and data breaches, compromising sensitive information.

The final takeaway is that organizations should prioritize regular software updates and consider transitioning to supported and secure alternatives to outdated software to mitigate security risks.