Google Chrome users should
install the latest security updates immediately, following reports that
hackers are exploiting a "high-severity vulnerability" flaw, the
Singapore Computer Emergency Response Team (SingCERT) said on Friday
(Aug 19).
Google did not provide further
information, but released Chrome 104.0.5112.101 for Mac and Linux, and
Chrome 104.0.5112.102/101 for Windows to address multiple
vulnerabilities.
The high-severity vulnerability is "being exploited in the wild", or active and can be found in devices belonging to ordinary users.
The security fix for this bug is included in an update currently
being rolled out, and users who have automatic updates turned on are
expected to receive it in the coming days or weeks, according to
technology website Bleeping Computer.
SingCERT has advised Google Chrome users on Windows, Mac and Linux computers to install the latest security updates immediately.
They are also encouraged to enable the automatic update function in Chrome to ensure that their software is updated promptly.
The vulnerability is a high-severity security issue linked to
"Intents” - a feature that enables launching applications and web
services directly from a web page, Bleeping Computer reported.
The vulnerability was reported on Jul 19 by Ashley Shen and Christian Resell of the Google Threat Analyst Group.
Google said it was aware that an exploit for the bug exists in the
wild, but may restrict access to bug details and links until a majority
of users are updated with a fix.
"We will also retain restrictions if the bug exists in a third party
library that other projects similarly depend on, but haven't yet fixed,"
it added.
A new botnet called 'RapperBot' is being used in attacks since
mid-June 2022, focusing on brute-forcing its way into Linux SSH servers
to establish a foothold on the device.
The researchers show that RapperBot is based on the Mirai trojan but
deviates from the the original malware's normal behavior, which is
uncontrolled propagation to as many devices as possible.
Instead, RapperBot is more tightly controlled, has limited DDoS
capabilities, and its operation appears geared towards initial server
access, likely to be used as stepping stones for lateral movement within
a network.
Over
the past 1.5 months since its discovery, the new botnet used over 3,500
unique IPs worldwide to scan and attempt brute-forcing Linux SSH
servers.
Mirai-based, but different
The new botnet was discovered in the wild by threat hunters at
Fortinet, who noticed the IoT malware featured some unusual SSH-related
strings and decided to investigate further.
RapperBot proved to be a Mirai fork, but with its own command and
control (C2) protocol, unique features, and atypical (for a botnet)
post-compromise activity.
"Unlike the majority of Mirai variants, which natively brute force
Telnet servers using default or weak passwords, RapperBot exclusively
scans and attempts to brute force SSH servers configured to accept
password authentication," explains the Fortinet report.
"The bulk of the malware code contains an implementation of an SSH
2.0 client that can connect and brute force any SSH server that supports
Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data
encryption using AES128-CTR."
The SSH brute-forcing relies on a list of credentials downloaded from
the C2 via host-unique TCP requests, while the malware reports back to
the C2 when it succeeded.
Fortinet researchers followed the bot and continued to sample new
variants, noticing that RapperBot used a self-propagation mechanism via a
remote binary downloader, which was removed by the threat actors in
mid-July.
The newer variants circulating at that time featured a shell command
that replaced the victim's SSH keys with the actor's, essentially
establishing persistence that's maintained even after SSH password
changes.
Moreover,
RapperBot added a system to append the actor's SSH key to the host's
"~/.ssh/authorized_keys," which helps maintain access on the server
between reboots or even if the malware is found and deleted.
In the most recent samples analyzed by the researchers, the bot adds
the root user "suhelper" on the compromised endpoints and creates a Cron
job that re-adds the user every hour in case an admin discovers the
account and deletes it.
RapperBot's attack overview(Fortinet)
Also, it's worth noting that the malware authors added extra layers
of obfuscation to the strings in later samples, like XOR encoding.
String obfuscation added on later variants(Fortinet)
RapperBot's goal
Most botnets either perform DDoS attacks or engage in coin-mining by
hijacking the host's available computational resources, and some do
both.
The goal of RapperBot, however, isn't evident, as the authors have
kept its DDoS functions limited and even removed and re-introduced them
at some point.
Also, the removal of self-propagation and the addition of persistence
and detection-avoidance mechanisms indicate that the botnet's operators
may be interested in initial access sales to ransomware actors.
Fortinet reports that its analysts saw no additional payloads
delivered post-compromise during the monitoring period, so the malware
just nests on the infected Linux hosts and sits dormant.
A North Korean-backed threat group tracked as Kimsuky is using a
malicious browser extension to steal emails from Google Chrome or
Microsoft Edge users reading their webmail.
The extension, dubbed SHARPEXT by Volexity researchers who spotted
this campaign in September, supports three Chromium-based web browsers
(Chrome, Edge, and Whale) and can steal mail from Gmail and AOL
accounts.
The attackers install the malicious extension after compromising a
target's system using a custom VBS script by replacing the 'Preferences'
and 'Secure Preferences' files with ones downloaded from the malware's
command-and-control server.
Once
the new preferences files are downloaded on the infected device, the
web browser automatically loads the SHARPEXT extension.
"The malware directly inspects and exfiltrates data from a victim's webmail account as they browse it," Volexity said Thursday.
"Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system."
As Volexity further revealed today,
this latest campaign aligns with previous Kimsuky attacks as it also
deploys the SHARPEXT "in targeted attacks on foreign policy, nuclear and
other individuals of strategic interest" in the United States, Europe,
and South Korea.
SHARPEXT workflow (Volexity)
Stealthy and highly effective attacks
By taking advantage of the target's already-logged-in session to
steal emails, the attack remains undetected by the victim's email
provider, thus making detection very challenging if not impossible.
Also, the extension's workflow will not trigger any suspicious
activity alerts on the victims' accounts which ensures that the
malicious activity will not be discovered by checking the webmail
account's status page for alerts.
The North Korean threat actors can use SHARPEXT to collect a wide range of information using commands that:
List previously collected emails from the victim to ensure
duplicates are not uploaded. This list is continuously updated as
SHARPEXT executes.
List email domains with which the victim has previously communicated. This list is continuously updated as SHARPEXT executes.
Collect a blacklist of email senders that should be ignored when collecting emails from the victim.
Add a domain to the list of all domains viewed by the victim.
Upload a new attachment to the remote server.
Upload Gmail data to the remote server.
Commented by the attacker; receive an attachments list to be exfiltrated.
Upload AOL data to the remote server.
This is not the first time the North Korean APT group has used
browser extensions to harvest and exfiltrate confidential data from
targets' breached systems.
As Netscout's ASERT Team said in
December 2018, a spear-phishing campaign orchestrated by Kimsuky pushed
a malicious Chrome extension since at least May 2018 in attacks
targeting a large number of academic entities across multiple
universities.
.png)
