Google issues critical Chrome patch addressing active zero-day

SISA Weekly Threat Watch, 04 December 2023

Last week’s cybersecurity landscape was marked by critical vulnerabilities in popular software and services, underscoring the prevalence of software flaws leading to potential data breaches and unauthorized access. Additionally, there were discoveries of backdoors used in targeted attacks and zero-day exploits in a widely used browser. These events highlighted persistent threats across various platforms, emphasizing the critical importance of prompt security updates and enhanced vigilance against potential cyber breaches.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Critical vulnerabilities expose ownCloud users to data breaches  

ownCloud, a prominent open-source file sharing software, has disclosed three critical security vulnerabilities, one of which could expose admin passwords and mail server credentials, marked as CVE-2023-49103 with a maximum CVSS v3 score of 10. This flaw impacts the environment variables of the webserver, potentially revealing sensitive information in containerized deployments. Another issue affects versions 10.6.0 to 10.13.0, scoring 9.8 on CVSS v3, allowing unauthorized access to files if a user’s username is known and no signing key is configured.

The third vulnerability, rated 9 on CVSS v3, pertains to subdomain validation bypass in the oauth2 library below version 0.6.1. Exploitation of these flaws could lead to data breaches, unauthorized access, and phishing attacks. Prompt application of fixes and updates is crucial to mitigate these risks, especially considering the increasing exploitation of such vulnerabilities by ransomware groups like CLOP targeting numerous companies worldwide. Regular security measures and community engagement are also crucial for maintaining a strong defense against potential exploits..

2. Zero-day alert: Google Chrome under active attack, exploiting new vulnerability

Google has swiftly released security patches for seven vulnerabilities in Chrome, including a zero-day exploit, CVE-2023-6345, actively exploited in the wild. This high-severity flaw, discovered by Google’s Threat Analysis Group (TAG), involves an integer overflow issue in the Skia open-source 2D graphics library. This vulnerability poses risks of system crashes and arbitrary code execution, impacting Skia-powered products like ChromeOS, Android, and Flutter.

Google, cautious about revealing detailed information, limits access until user updates are widespread, ensuring reduced risks of immediate exploitation. With this latest update, Google has now addressed six zero-days in Chrome this year, emphasizing its commitment to bolstering security. Users are strongly urged to update to Chrome versions 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux. Chromium-based browser users should apply fixes promptly upon availability to mitigate potential threats.

3. Cyberattacks using Rust-powered SysJoker backdoor against Israel 

Cybersecurity experts have identified a Rust-based iteration of SysJoker, a sophisticated cross-platform backdoor initially detected in C++ versions. This malware has recently been deployed by threat actors targeting Israel amid regional conflicts, operating stealthily on Windows, Linux, and macOS systems. SysJoker exhibits traits like in-memory payload loading, diverse persistence mechanisms, and employs evasive techniques, remaining undetected across all OS variants. To avoid scrutiny, it utilizes random sleep intervals, intricate encryption, and PowerShell modifications for persistence. 

While gathering system information and communicating with a command-and-control server, this newer iteration lacks previous command execution capabilities, potentially indicating a deliberate move by developers to enhance its stealth. Researchers have suggested a potential link between SysJoker and the ‘Gaza Cybergang’ based on similarity in techniques used, notably in attacks against the Israel Electric Company. However, conclusive attribution remains uncertain despite these observed parallels. It is recommended to prioritize software updates, incident response planning, and collaboration on threat intelligence to prevent similar attacks.

4. Critical vulnerabilities alert: Zyxel NAS devices under threat 

Zyxel has recently addressed multiple critical and high-severity security vulnerabilities in its network-attached storage (NAS) devices, which could allow unauthorized system access and command execution. These vulnerabilities include improper authentication (CVE-2023-35137), command injection flaws in specific functions (CVE-2023-35138, CVE-2023-37927), and OS command execution via crafted URLs in the web server (CVE-2023-4473, CVE-2023-4474).

These NAS systems, catering to small to medium-sized businesses and creative professionals, offer centralized data storage and collaboration features. Although no specific mitigation measures were provided, Zyxel strongly recommends applying firmware updates to secure the affected NAS devices.

5. Design flaw in Google Workspace lets attackers gain unauthorized access

Cybersecurity researchers discovered a critical design flaw, dubbed DeleFriend, within Google Workspace’s domain-wide delegation (DWD) feature. This vulnerability could enable threat actors to execute privilege escalation, bypassing the need for super admin privileges. By manipulating existing delegations in Google Cloud Platform (GCP) and Workspace, attackers could access APIs, potentially compromising Gmail emails, Google Drive data, and performing unauthorized actions across Workspace APIs..

The issue arises from the reliance on service account OAuth IDs rather than specific private keys, allowing threat actors to generate multiple JSON web tokens (JWTs) and gain domain-wide delegation permissions, even with limited access to a GCP project. This exploit may lead to unauthorized data access and exfiltration from various Google services. To mitigate the risks, it is recommended to limit private key creation access for IAM users and restrict OAuth scopes to essential permissions in GCP resources, adhering to the principle of least privilege.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider