12/20/2023-12/27/2023 New Chrome Zero-Day Vulnerability, Ivanti Releases Patches, Poorly Secured Linux SSH Servers Under Attack And More.

1. Urgent: New Chrome Zero-Day Vulnerability Exploited in the Wild – Update ASAP

Google has released security updates for Chrome, addressing a high-severity zero-day flaw (CVE-2023-7024) in the WebRTC framework. The heap-based buffer overflow bug could lead to program crashes or arbitrary code execution. Google confirms the exploit’s existence in the wild but provides limited details to prevent further abuse. Since the year began, this marks the eighth actively exploited zero-day in Chrome, adding to a total of 26,447 disclosed vulnerabilities in 2023. It remains unclear if the flaw affects browsers like Mozilla Firefox and Apple Safari, both supporting WebRTC. Users are urged to update Chrome to version 120.0.6099.129/130 (Windows) or 120.0.6099.129 (macOS and Linux) for enhanced security. 

2. Hackers Exploiting MS Excel Vulnerability to Spread Agent Tesla Malware

Attackers are exploiting an old Microsoft Office vulnerability (CVE-2017-11882) in phishing campaigns to distribute Agent Tesla malware, warns Zscaler ThreatLabz. Using decoy Excel documents in invoice-themed messages, the attackers trick users into activating the memory corruption flaw, enabling code execution with user privileges. Once a user opens the malicious attachment, the Excel file communicates with a malicious destination, downloading additional files without user interaction. The malware employs an obfuscated Visual Basic Script, initiating the download of a JPG file embedded with a Base64-encoded DLL file. The DLL is then injected into RegAsm.exe to launch Agent Tesla, an advanced keylogger and remote access trojan.
This underscores the importance of organizations staying updated on evolving cyber threats to protect their digital landscape.
 

3. Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

A phishing campaign employs decoy Microsoft Word documents to deliver Nim programming language-based backdoor malware, posing a challenge for security researchers due to the uncommon language. Netskope researchers detail the attack chain, initiated by a phishing email with a Word document attachment, impersonating a Nepali government official. Once macros are enabled, the Nim malware is deployed, establishing connections with remote servers mimicking Nepali government domains. Nim’s cross-compilation features allow attackers to create a single variant targeting different platforms. Concurrently, threat actors experiment with new malware strains, while phishing campaigns distribute known malware like DarkGate and NetSupport RAT via email and compromised websites. Proofpoint identifies at least 20 DarkGate campaigns switching to NetSupport RAT, exploiting a Windows SmartScreen bypass vulnerability as a zero-day a month before its public disclosure.

4. Ivanti Releases Patches For 13 Critical Avalanche RCE flaws

Ivanti has issued critical security updates for its Avalanche enterprise mobile device management (MDM) solution, addressing 13 vulnerabilities. The flaws, including stack or heap-based buffer overflows, expose over 100,000 managed mobile devices to remote code execution by unauthenticated attackers. Exploitation occurs via specially crafted data packets sent to the Mobile Device Server. Ivanti urges users to update to Avalanche 6.4.2, as all supported versions (6.3.1 and above) are vulnerable. The update also addresses eight medium- and high-severity bugs, guarding against denial of service, remote code execution, and server-side request forgery attacks. This follows Ivanti’s previous fix for critical buffer overflows in August and the chaining of MobileIron Core zero-days by threat actors in September.

5. Warning: Poorly Secured Linux SSH Servers Under Attack for Cryptocurrency Mining

Poorly secured Linux SSH servers face increased threats from malicious actors aiming to install port scanners and dictionary attack tools. The goal is to compromise vulnerable servers for cryptocurrency mining and distributed denial-of-service (DDoS) attacks. AhnLab’s Security Emergency Response Center (ASEC) reported that threat actors may sell breached IP and account credentials on the dark web. The attacks involve guessing SSH credentials through dictionary attacks, followed by deploying malware, including scanners, to identify other susceptible systems. The scanners focus on systems with active port 22 (SSH) and propagate infections through dictionary attacks. Notably, the attackers execute commands like “grep -c ^processor /proc/cpuinfo” to determine CPU cores. Believed to be created by PRG old Team, these tools have been active since 2021. To mitigate risks, users are advised to use strong, periodically rotated passwords and keep systems updated.