Google releases patches for Chrome zero-day vulnerability

SISA Weekly Threat Watch - 24 April 2023

As the cyber threat landscape continues to evolve, businesses must stay vigilant against new threats and attack vectors emerging every day. This past week, researchers highlighted an ongoing risk posed by ransomware attacks, zero-day vulnerabilities, state-sponsored hacking, and advanced persistent threats (APTs). This emphasizes the need for continued investment in cybersecurity and collaboration between organizations, government agencies, and cybersecurity researchers to stay abreast of the latest threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. RTM Locker: Emerging cybercrime group targeting businesses with ransomware

RTM Locker is described as a traditional RaaS (Ransomware-as-a-Service) product that provides its affiliates with a web panel to control the attacks campaigns. The panel offers information on the guidelines, targets, and possible attack strategies. Additionally, a data-release-timer tool enables the affiliates to add their victims, extort them, and track the campaigns. Affiliates are given the ransomware payload so they can start the data encryption method by elevating their privileges, erasing shadow copies, and disabling antivirus and backup services.

The panel modifies the machine’s background image, purges the contents of the Recycle Bin and event logs, and then executes a shell script that self-destructs the locker. The RTM Locker website may only be accessed through the TOR network and linking it to any publicly accessible chat programme is not allowed. The operators also forbid further outsourcing of the work or sharing of the RTM Locker code. To prevent data exfiltration by malware or threat actors, keep an eye on the beacon at the network level, implement a Data Loss Prevention (DLP) solution, turn on the automatic software update feature and enforce multi-factor authentication (MFA) wherever possible.

2. Urgent Chrome update released to fix actively exploited zero-day vulnerability

Google released new security updates for actively exploited Chrome zero-day vulnerability (CVE-2023-2033) that allows attackers to execute an arbitrary code to take complete control of the system remotely using the exploit in the wild. The high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

A type confusion vulnerability lets the exploit allocate or initialize a resource using one type, such as a pointer, object, or variable. Still, it later accesses that resource using a type that is incompatible with the original type. Successful exploitation of this zero-day bug leads to browser crashes by reading or writing memory out of buffer bounds. Users are recommended to upgrade to Google Chrome version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats.

3. Hacktivist Indonesia claims to attack 12,000 Indian government websites

A hacking group called ‘Hacktivist Indonesia’ has circulated a list of 12,000 Indian government websites which they want to target in the near future. The list of targets includes Aadhaar, departments of police, space, and Income Tax and even consulate websites. Through its open-source intelligence, the I4C unit has informed the Cert-In of such ongoing actions and advised them to remain vigilant. The hackers utilized a distributed denial-of-service (DDoS) attack to check government websites.

The central government has already informed the states through cyber-crime and cybersecurity teams on how to protect their websites. Security analysts are advised to constantly monitor network traffic to detect any unusual patterns or traffic surges that could indicate a DDoS attack. To take appropriate measures to prevent DDoS attacks, conduct regular security audits to identify vulnerabilities and potential security weaknesses in the network. A comprehensive incident response plan should also be developed to manage DDoS attacks effectively.

4. Russian hackers linked to widespread attacks targeting NATO and EU

APT29 state-sponsored hackers, an agency of the Russian government’s Foreign Intelligence Service (SVR), have been linked by Poland’s Military Counterintelligence Service and its Computer Emergency Response Team to several attacks against NATO and EU nations. The campaign’s initial access was gained by spear phishing; APT29 generated emails that appeared to be from the embassy of European nations and particularly targeted individuals at specific organizations.

These emails contain a malicious attachment or a direct link to an ENVYSCOUT loader payload that releases more malware via ISO, IMG, or ZIP files. After doing so, the attackers activate their malware via a variety of methods, including DLL Sideloading. The primary goal of this effort is to steal information from foreign ministries and diplomatic organizations. To prevent data compromise, it is recommended to block the file system’s capacity to mount disc images. Users with administrator privileges must also keep an eye on the mounting of disc image files.

5. MuddyWater APT group leverages SimpleHelp remote support software for persistent access

The MuddyWater threat actor group has been utilizing legitimate remote control services to stay undetected for the past few years. SimpleHelp, another trustworthy tool was added by the APT group in the fall of 2022 in order to ensnare more victims. The tool allows attackers to connect remotely and perform several commands, including some that need administrator rights, on the victim’s device.

To download the SimpleHelp installers, the attackers sent phishing emails with links to online storage services like OneDrive, Dropbox, or OneHub. After installation, the group starts the process of breaking into compromised systems, after which it distributes the final payloads. It is recommended to use network indicators to track MuddyWater’s activity and protect against their attacks. Additionally, implement corporate email security tools to prevent threat groups from using corporate email as an attack vector.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider