Thursday, December 7, 2023

Emergency!! Hackers Actively Exploiting Chrome Zero-day Bug in Wide – Update Now

This is an emergency notice for all Chrome users!!!

Google released an emergency update for Chrome that patches two new use-after-free vulnerabilities which include a zero-day bug that is actively exploiting in wide.

New stable channel update to Chrome 78.0.3904.87 released for Windows, Mac, and Linux.

Researchers from Kaspersky discovered an unknown zero-day exploit for chrome browser and they called it as operation WizardOpiu.

Threat actors who behind this attack is unknown, but the code similarities indicate that the attack possibly linked with Lazarus group, an unknown team of hackers who are using Zero-days, spearphishing, malware, backdoors to attack various financial organization around the world.

The use-after-free vulnerability (tracked as CVE-2019-13720) affects the audio component of the web browser and the bug has been reported by Anton Ivanov and Alexey Kulaev at Kaspersky Labs.

Another use-after-free vulnerability has been uncovered as CVE-2019-13721 and fixed in this update which was reported by bug hunter bananapenguin. Google rewarded a bounty of $7,500.

The use-after-free vulnerability is a type of memory corruption flaw that allows an attacker to corrupt memory to escalates the privilege and take over the complete control of the vulnerable system by executing the arbitrary code remotely.

Exploiting the Chrome Zero-day

Researchers initial uncovered a malicious activity that leverages the waterhole type injection in the Korean site where the attacker inserted a weaponized javascript code on the main page.

The Javascript code load another remote script from the website hxxp://code.jquery.cdn.behindcorona[.]com and drops the anther script .charlie.XXXXXXXX.js that check the victim’s browser’s user agent to ensure that the system is vulnerable to infection and also it tries to extract the browser name and version.

“If the script found that the system browser is vulnerable then it tries to exploit the bug in Google Chrome browser and the script checks if the version is greater or equal to 65 “

Script checks the browser version

Later the malicious javascript establishes a connection to the remote server and downloads the bunches of chunks of the exploit code.

Once its all downloaded then the RC4 script decrypts the chunks where the attacker receives the new JavaScript code containing the full browser exploit. 

Downloaded browser exploit is completely obfuscated and the researchers de-obfuscate and uncovered that it has made another request against the user agent’s string and the second time it checks that the browser version is 76 or 77.

Researchers believe that “It could mean that the exploit authors have only worked on these versions (a previous exploitation stage checked for version number 65 or newer) or that other exploits have been used in the past for older Chrome versions.”

According to Kaspersky research ” The exploit used a race condition bug between two threads due to missing proper synchronization between them. It gives an attacker and a Use-After-Free (UaF) condition that is very dangerous because it can lead to code execution scenarios, which is exactly what happens in our case. “

Trigger the Use After Free Vulnerability

Once the exploit found the vulnerable victims, it immediately tries to trigger the UAF to perform an information leak about important 64-bit addresses.

It causes the following result to the attackers:

1) if an address is leaked successfully, it means the exploit is working correctly;
2) a leaked address is used to know where the heap/stack is located and that defeats the address space layout randomization (ASLR) technique;
3) a few other useful pointers for further exploitation could be located by searching near this address.

Along with this operation, it tries to perform various other processes such as allocate/free memory and bunches of other operations give the attackers to read/write an arbitrary code and take the complete control of the system.

The patch has already availed for all platforms such as Windows, Mac, and Linux. We recommend all the chrome users to immediately update the browsers and apply the patch to prevent this attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Website

Latest articles

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...

Hackers Deliver AsyncRAT Through Weaponized WSF Script Files

The AsyncRAT malware, which was previously distributed through files with the .chm extension, is now being...

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles