Critical zero-day in Google Chrome sparks urgent patch

SISA Weekly Threat Watch - 02 October-2023

The cybersecurity landscape has seen substantial threats and security flaws in the last week. Researchers discovered a resurgence of advanced persistent threat (APT) attacks aimed at the government sector, zero-day vulnerabilities in widely used platforms, a new trend including the deployment of sophisticated backdoors, and the exploitation of several significant vulnerabilities. These instances highlight the rising complexity of cyber threats, emphasizing the importance of enterprises prioritizing security measures and staying vigilant against emerging attack vectors.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Elusive Gelsemium hackers spotted in attack against Southeast Asian government

The Gelsemium advanced persistent threat (APT) group has been actively observed in a cyber espionage campaign targeting a Southeast Asian government over a six-month period from 2022 to 2023. In a recent report, a new Gelsemium campaign was discovered, employing rarely seen backdoors linked to threat actors with medium confidence. The campaign starts with web shell installations on Gelsemium targets, likely through vulnerabilities in internet-facing servers.

The report highlights the use of well-known web shells like ‘reGeorg,’ ‘China Chopper,’ and ‘AspxSpy,’ which are publicly available, making attribution challenging. These web shells enable Gelsemium for network reconnaissance, lateral movement via Server Message Block (SMB), and fetching additional payloads. Gelsemium also deploys additional tools for lateral movement, data collection, and privilege escalation, including OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm. It is recommended to implement security best practices for web applications, such as input validation, output encoding, and parameterized queries to prevent SQL injection, cross-site scripting (XSS), and other common vulnerabilities. Additionally, deploy a WAF to filter incoming web traffic and block malicious requests, to defend against such advanced adversaries.

2. Google releases patch for actively exploited zero-day vulnerability

The Multiple vulnerabilities have been discovered in Google Chrome, including a high-severity zero-day vulnerability (CVE-2023-5217) that can lead to arbitrary code execution. This vulnerability stems from a heap buffer overflow in the VP8 encoding of the libvpx video codec library. This flaw carries significant implications ranging from causing applications to crash to potentially enabling the execution of malicious code.

The Google TAG (Threat Analysis Group) research team has gained a reputation for their frequent identification and reporting of zero-day vulnerabilities that are exploited in targeted espionage campaigns, often carried out by state-sponsored threat actors and hacking groups. These campaigns typically target individuals at high risk, such as journalists and political opposition figures. Exploitation of this particular vulnerability has been observed in spyware attacks highlighting its severity. It is crucial to promptly apply the available updates and establish robust vulnerability management processes to mitigate these risks.

3. Exploit chain released for Microsoft SharePoint server vulnerabilities

A proof-of-concept exploit chain has surfaced for two vulnerabilities in Microsoft SharePoint Server that could potentially lead to unauthenticated remote code execution. CVE-2023-29357 is an elevation of privilege (EoP) vulnerability in Microsoft SharePoint Server. This vulnerability can be exploited by a remote, unauthenticated attacker who sends a spoofed JSON Web Token (JWT) authentication token to a vulnerable server, to get privileges of an authenticated user.

CVE-2023-24955, on the other hand, is a remote code execution (RCE) vulnerability impacting Microsoft SharePoint Server. It permits an authenticated Site Owner to execute code on an affected SharePoint Server by replacing the /BusinessDataMetadataCatalog/BDCMetadata.bdcm file. A public exploit script targeting the SharePoint vulnerability CVE-2023-29357 has emerged on GitHub. This script enables attackers to escalate privileges on compromised SharePoint Server installations. Furthermore, malicious actors could potentially chain the EoP vulnerability with the RCE vulnerability to severely compromise system confidentiality, integrity, and availability. Prompt implementation of the Microsoft recommended patches and mitigations is crucial to curbing potential security infringements and data breaches.

4. Deadglyph: Exploring a novel advanced backdoor and its malicious tactics

Cybersecurity researchers have uncovered an advanced backdoor named Deadglyph, employed by the Stealth Falcon APT group in a cyber espionage campaign targeting entities in the Middle East. Deadglyph’s architectural peculiarity distinguishes it from conventional malware. It comprises two cooperating components: a native x64 binary and a .NET assembly. To enhance security, these components are encrypted using a machine-specific key. Unlike typical backdoors that embed traditional commands within their binary, Deadglyph dynamically receives commands from its C&C server.

Deadglyph is proficient in executing various tasks, categorized into three groups: Orchestrator tasks (managing network and timer modules), Executor tasks (including process creation, file access, and system metadata collection), and Upload tasks (for uploading command outputs and errors). To establish persistence, Deadglyph utilizes its shellcode loader. It communicates with the C&C server using HTTPS POST requests, a technique that raises the bar for detection and blocking, making it more challenging for defenders to thwart its activities. Organizations and individuals must remain vigilant, update their security measures, and follow best practices to defend against such threats.

5. Critical libwebp vulnerability under active exploitation

Google has issued CVE identifier for a critical zero-day vulnerability that is under active exploitation. It has been revealed that the vulnerability affects the libwebp image library used for rendering images in WebP format, specifically stemming from the Huffman coding algorithm. However, since libwebp supports codes up to 15 bits, problems occur when the BuildHuffmanTable() function attempts to populate second-level tables.

Vulnerability has been assigned CVE ID CVE-2023-5129, marking it as a critical flaw in libwebp with a maximum severity rating of 10/10. This change has significant implications for other projects using the libwebp open-source library. Now officially recognized as a libwebp issue, it involves a heap buffer overflow in WebP, impacting Google Chrome versions prior to 116.0.5845.187. The vulnerability affects any software that utilizes the WebP codec. That includes major browsers like Chrome, Firefox, Safari, and Edge. To mitigate this threat, immediate updates are crucial. It is recommended to implement automated patch management for continuous protection.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider