Advisory ID: NCC-CSIRT-030424-006

Summary: 

Several vulnerabilities have been identified in Google Chrome that could be exploited by attackers to compromise systems and data. These vulnerabilities pose a serious risk to customers and organizations worldwide, ranging from further remote code execution to data and information disclosure.

Threat Type(s): Denial of Service (DoS), User Interface (UI) Spoofing, Remote Code Execution (RCE)

Impact/Vulnerability: HIGH/HIGH

Product(s): Google Chrome

Platform(s): Google Chrome for Windows, MacOS and Linux, Google Chrome for Android and iOS

Version(s): All Versions.

Description: 

The vulnerabilities affect various components of Google Chrome including:

• Type Confusion Vulnerabilities: Type confusion vulnerabilities can cause memory corruption and even provide an opportunity for code execution in some Chrome operations.
• Usage-After-Free Vulnerabilities: These flaws in Chrome's memory management could be used to execute arbitrary code or result in a denial-of-service attack.
• Insecure Origin Policy Bypass: Attackers might be able to obtain sensitive data across sources if they manage to get around some of Chrome's security model's controls.
• UI Spoofing Attacks: Users may be tricked into engaging with malicious content by manipulating Chrome's user interface, which could result in undesired behaviours or the disclosure of confidential information.

Consequences: 

The identified vulnerabilities in Google Chrome pose risks to users and organizations, potentially leading to:

• Execution of arbitrary code
• Access to sensitive information
• Denial of Service (DoS)
• UI manipulation to deceive users.
• Compromise of user privacy

Solution: 

To mitigate the risks associated with these vulnerabilities, it is highly recommended that users take the following steps.

• Update Google Chrome: Ensure that Google Chrome is updated to the latest version available. Google frequently releases security patches and updates to address known vulnerabilities. Users can manually check for updates by navigating to Chrome's settings and selecting the "About Chrome" option.
• Proceed with Caution: Avoid clicking on suspicious links or downloading files from untrusted sources while browsing the web. Be cautious when connecting with content or websites you are not familiar with.
• Utilize Security Features: Turn on built-in security measures like Safe Browsing to guard against malware, phishing scams, and other dangerous websites.
• Report Security Issues: If you discover any suspicious activity or believe you have encountered a security vulnerability in Google Chrome, report it to Google immediately through their Vulnerability Reward Program or security reporting mechanisms.

References:

• https://www.hkcert.org/security-bulletin/google-chrome-multiple-vulnerabilities_20240403
• https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop.html
• https://www.google.com/about/appsecurity/chrome-rewards/
• https://chromereleases.googleblog.com/

Advisory ID: ngCERT-2024-0009

Summary: 

Several critical zero-day and high severity vulnerabilities have been reported in Mozilla products including the Google Chrome browser. Attackers could leverage these vulnerabilities to run arbitrary code, circumvent security measures, or cause crashes on vulnerable systems. Nonetheless, Mozilla and Google have issued security updates to address the discovered vulnerabilities. As a result, users are advised to upgrade their products to the latest versions as recommended.

Damage/Probability: HIGH/HIGH

Platform(s): 

The Mozilla products critical zero-day vulnerabilities are identified as Out-of-bounds memory access vulnerability (CVE-2024-29943) and Privileged JavaScript Execution vulnerability (CVE-2024-29944). The out-of-bounds memory access vulnerability exists in the JavaScript engine and can be exploited by attackers to corrupt memory and potentially execute arbitrary code, while the privileged JavaScript execution vulnerability exists in the management of event handlers that allows attackers to inject malicious code into privileged objects. This vulnerability can be exploited to gain complete control over the browser process. Furthermore, in google chrome the critical vulnerabilities identified are known as the Use-After-Free (UAF) and a type confusion vulnerability. Attackers could exploit Use-After-Free (UAF) vulnerabilities to perform malicious operations such as arbitrary reading, writing back, and code execution. Also, once an attacker obtains process information, it will be easier to bypass system security defense tools. These vulnerabilities could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page to execute arbitrary code. Other high severity vulnerabilities in the Mozilla products includes, CVE-2024-2615, CVE-2024-2605, CVE-2024-2606, CVE-2024-2607, CVE-2024-2608, CVE-2024-2614, CVE-2024-0743, and CVE-2024-2616.

Consequences: 

Exploitation of the aforementioned vulnerabilities could lead to:

• Unauthorised access.
• System compromise
• Data breach and exfiltration.
• Damage to reputation.
• Denial of Service (DoS)

Solution: 

Exploitation of the aforementioned vulnerabilities could lead to:

• Unauthorised access.
• System compromise
• Data breach and exfiltration.
• Damage to reputation.
• Denial of Service (DoS)

References:

• https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/  
• https://chromereleases.googleblog.com

Advisory ID: ngCERT-2024-0006

Summary: 

Security researchers have revealed a new tactic deployed by cyber criminals to hack Windows systems. The elaborate attack campaign nicknamed DEEP#GOSU, is likely associated with the group tracked as Kimsuky. This campaign is an eight-stage attack chain that employs the use of PowerShell and VBScript malware to infect Windows systems and harvest sensitive information, with implications for data and financial losses. Users of Windows system are therefore advised to take proactive steps provided herein to mitigate the threats.

Damage/Probability: CRTICAL/HIGH

Description: 

The malware payloads deployed in the DEEP#GOSU represent a sophisticated, multi-stage attack designed to operate stealthily on Windows systems particularly from a network monitoring perspective. The attack chain involves keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, as well as persistence using both RAT software for complete remote access, scheduled tasks, and self-executing PowerShell scripts via jobs. Notably, the infection procedure leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic. Additionally, the use of such cloud services to stage the payloads creates an avenue for the threat actor to update the functionality of the malware, while delivering additional modules.

The starting point of the attack involves the distribution of phishing/malicious email attachments containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk"). The .LNK file comes embedded with a PowerShell script as well as a decoy PDF document, with the former also reaching out to an actor-controlled Dropbox infrastructure to retrieve and execute another PowerShell script ("ps.bin"). The second-stage PowerShell script, for its part, fetches a new file from Dropbox ("r_enc.bin"), a .NET assembly file in binary form that's actually an open-source remote access trojan known as TruRat (aka TutRat or C# RAT) with capabilities to record keystrokes, manage files, and facilitate remote control. The later stages of the attack install a script that randomly executes in a matter of hours to help monitor and control systems and provide persistence. The final stage monitors user activity through logging keystrokes on the compromised system.

Consequences: 

A successful attack could result to the following:

• Data exfiltration.
• Financial losses.
• Denial of Service (DoS).
• Fraudulent activity using compromised accounts.
• Additional breach of other linked account.
• Ransomware attacks.

Solution: 

It is therefore recommended that Windows users should:

• Avoid opening suspicious mails.
• Avoid clicking on untrusted links.
• Patch and update software as soon as options are  available.
• Avoid downloading files or attachments from external sources, especially if the source was unsolicited.
• Monitor common malware staging directories, especially script-related activity in world-writable directories. In the case of this campaign the threat actors staged in subdirectories in %APPDATA%.
• Deploy robust endpoint logging capabilities.

References:

• https://thehackernews.com/2024/03/new-deepgosu-malware-campaign-targets.html/
• https://www.darkreading.com/vulnerabilities-threats/north-korea-linked-group-level-multistage-cyberattack-on-south-korea/
• https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/ 

Advisory ID: ngCERT-2024-0005

Summary: 

AdLoad is a persistent and intrusive malware that mainly targets the Mac Operating System (MacOS), but also known to infect systems running the Windows Operating System (WinOS).

Damage/Probability: MODERATE/HIGH

Description: 

AdLoad is a Trojan malware that creates a backdoor into an affected system so that other malware or Potentially Unwanted Programs (PUPs) can be introduced into the system. It can also collect system information and transmit it to its command-and-control (C2) server.

Consequences: A compromised system could allow threat actors to perform the following functions:

• Turn affected machines into bots for malicious campaigns.
• Redirect users to malicious websites.
• Insert rogue advertisements into web pages to generate advertisement revenue.
• Affect the performance of infected systems.
• Install key-loggers to steal personal credentials.

Detection: 

The most effective method of detecting rouge applications such as AdLoad, is by using anti-malware applications. However, below are other methods of detecting the malware on an infected system:

• Reduced system performance.
• Unsolicited popup advertisement in browsers or search engine results.
• It is also commonly known to store its LaunchDaemon file in the local domain Library and the LaunchAgent file in the local user Library on MacOS. For example, if the malware uses the name "DataSearch", it stores "com.DataSearch.plist" in "~/Library/LaunchAgents/" and targets the executable file in "~/Library/Application Support/com.DataSearch/DataSearch".

Solution:

Guidance for End Users:

• Perform regular system scans using reputable antivirus programes.
• Ensure operating systems and applications are kept up to date.
• Ensure antivirus applications are updated.
• Avoid using binaries from free file-hosting sites, file-sharing networks, and third-party installers.
• Avoid installing additional apps or offers that are displayed during installation.
• Change passwords regularly for devices and shopping sites.

Guidance for Enterprise Administrators:

• Restrict access to privileged resources like Launchdaemons, LaunchAgents folders, or Sudoers file through OSX enterprise management solutions. This helps in mitigating common persistence and privilege escalation techniques.
• Encourage users to use web browsers that support SmartScreen, which identifies and blocks malicious websites.
• Turn on network protection to block connections to malicious domains and IP addresses.
• Install apps from trusted sources.
• Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control (C2).
• Prevent the use of unauthorized apps with application control.
• Run the latest version of operating systems and applications.
• Deploy latest security updates and patches when available.
• Educate end users on preventing malware infections. Encourage end users to practice good credential hygiene limit the use of accounts with local or domain admin privileges. 

References:

• https://info.lse.ac.uk/staff/divisions/dts/services/infosec/Malware-targeting-LSE-devices-Adload

• https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Adware:MacOS/Adload.A&threatId=312991

• https://www.malwarebytes.com/blog/detections/trojan-adload