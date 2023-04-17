



In a nutshell, on Friday Google released an emergency update to address Chrome’s zero-day security flaw.

This vulnerability, tracked as CVE-2023-2033, could be exploited by a malicious web page to execute arbitrary code in the browser. Therefore, if you use a vulnerable browser and visit a bad website, your device can be hijacked. Exploit code for this hole is said to be in the wild and may already be in use by malicious users.

This high-severity type confusion bug exists in at least versions of Chrome for desktop prior to 112.0.5615.121. Google released its version for his Windows, Mac and Linux on April 14th, closing a security hole in its V8 JavaScript engine.

That new version should be installed as soon as possible, either automatically or manually.

The vulnerability was discovered and reported by Clment Lecigne of Google’s Threat Analysis Group on April 11, according to the web giant. “Google is aware that an exploit for CVE-2023-2033 does exist,” the organization added. The fix marks the first zero-day for Chrome to be squashed by Google this year.

Full details of how the bug was or was exploited have not yet been released.

The updated Chrome also includes “various fixes from internal audits, fuzzing and other initiatives.”

Extortionists ask Western Digital for 8-figure amount not to release ’10TB of data’

Malicious actors who claim to be behind a ransomware infection at disk maker Western Digital earlier this month have not yet been kicked out of the company’s systems and are happy to walk away, keeping stolen data secret and how and said to share how they broke into WD. At least if he was paid an eight-figure ransom.

The apparent thieves who spoke to TechCrunch earlier this week said they stole what they claimed was about 10 terabytes of internal data from the company, including customer and employee information. Encryption keys have also reportedly been found in large numbers, allowing criminals to digitally sign certificates as Western Digital and create malicious files to pass along as legitimate his WD material. I was.

The attackers also allegedly stole data from Western Digital’s SAP Backoffice instance, emails, and files stolen from other cloud services. No information was encrypted.

The perpetrators’ goal is clearly to make money by causing more damage to Western Digital’s systems, threatening to expose more company data, or otherwise making life difficult for the company.

“Requires a one-time payment. Then leave the network and let us know your weaknesses. No lasting harm. But any attempt to sabotage us, our systems, or anything We will fight back,” the attackers reportedly told Western Digital in an email.

Western Digital has been largely silent on the attack, which it disclosed on April 2nd. WD said in a statement that the attack was identified on March 26 and was being investigated.

TechCrunch said WD would not provide updates or verify the fraudster’s claims, saying that malicious actors “exploited vulnerabilities within our infrastructure and spidered our way into global administrators.” He said he would only share what he sent. [Microsoft] Azure Tenant”, pull off the attack.

The self-identified attacker has also claimed no affiliation with the group, but has said that if Western Digital does not immediately respond to its demands, it will expose stolen data on websites belonging to the Alphv ransomware gang. .

As of Wednesday, Western Digital reported that access to its My Cloud service, which had been offline since the attack, had been restored. Western Digital has not released an update on the status of its investigation since first reporting the intrusion.

Critical Vulnerabilities of the Week

Last week included Patch Tuesday week, so most of the recent critical vulnerabilities were already covered by The Register. But a few more critically rated thorns arose with industrial control systems worthy of mention.

CVSS 9.8 – CVE-2023-28489: Siemens SICAM A8000 devices running firmware versions prior to CPCI85 contain a command injection vulnerability that could grant RCE capabilities to unauthenticated, remote attackers. It contains. CVSS 9.8 – Multiple CVEs: Siemens SCALANCE XCM332 devices running software prior to version 2.2 are vulnerable to an exploit chain that causes a denial of service and leads to code execution, data injection, and unauthorized access. CVSS 9.8 – Multiple CVEs: Siemens SCALANCE X-200, X-200IRT, and X-300 families are firmware vulnerable to integer overflow or wraparound bugs that can lead to memory corruption (varies by product) ) is running. CVSS 8.3 – CVE-2020-14521: Multiple Mitsubishi Electric Factory Automation software products contain a malicious code execution vulnerability that can be used by an attacker to steal or modify data and cause a denial of service. is included.

Patches for the above vulnerabilities are available. You know the drill – patch it up.

Industry insiders step up to protect well-intentioned hackers

Tech industry players such as Google and Intel last week announced a project to create a more favorable legal environment for honest security researchers, and another to help cover the costs of researchers embroiled in lawsuits. bottom.

HackerOne, a bug bounty platform, has announced the formation of the Hacking Policy Council in partnership with the Center for Cybersecurity Policy and Law. The council’s operation will “advocate policies that encourage best practices in vulnerability detection, management, and disclosure, as well as improved protections for honest security research,” he said. .

Along with founding members such as Intel and Bugcrowd, Google said it is committed to the Hacking Policy Council, stating: [disclosure reporting] the law is right. “

Google called the Council “a like-minded advocate to ensure that the new policies and regulations support vulnerability management and disclosure best practices and do not compromise user security.” A group of organizations and leaders.”

Google also said it is providing seed funding to the Security Research Legal Defense Fund. The search giant said it would “fund legal representation of individuals conducting good faith investigations when promoting cybersecurity in the public interest.”

According to the fund’s website, it does not provide direct representation to researchers seeking assistance, but has demonstrated financial need, has not engaged in illegal activities such as extortion, has acted in good faith, and has served on the board of directors. A person who meets the approval of the Society.

Like the Hacking Policy Council, the Defense Fund is coordinated by the Center for Cybersecurity Policy and Law. The fund’s website says it has applied for 501c3 nonprofit status and “will be operational in the next few months,” so we won’t know when funding will be available soon. I don’t know.

