Google has patched a second actively exploited zero-day flaw in the Chrome browser in two weeks, along with addressing nine other security vulnerabilities in its latest update.
The company released 86.0.4240.183 for Windows, Mac, and Linux, which it said will be rolling out over the coming days/weeks to all users.
The zero-day flaw, tracked as CVE-2020-16009, was reported by Clement Lecigne of Google’s Threat Analysis Group (TAG) and Samuel Groß of Google Project Zero on October 29.
The company also warned that it “is aware of reports that an exploit for CVE-2020-16009 exists in the wild.”
Google hasn’t made any details about the bug or the exploit used by threat actors public so as to allow a majority of users to install the updates and prevent other adversaries from developing their own exploits leveraging the flaw.
Aside from the ten security fixes for the desktop version of Chrome, Google has also addressed a separate zero-day in Chrome for Android that was being exploited in the wild — a sandbox escape flaw tracked as CVE-2020-16010.
The zero-day disclosures come two weeks after Google fixed a critical buffer overflow flaw (CVE-2020-15999) in the Freetype font library.
Then late last week, the company revealed a Windows privilege escalation zero-day (CVE-2020-17087) that was employed in combination with the above font rendering library flaw to crash Windows systems.
The search giant hasn’t so far clarified if the same threat actor was exploiting the two zero-days.
A week after the US government issued an advisory about a “global intelligence gathering mission” operated by North Korean state-sponsored hackers, new findings have emerged about the threat group’s spyware capabilities.
The APT — dubbed “Kimsuky” (aka Black Banshee or Thallium) and believed to be active as early as 2012 — has been now linked to as many as three hitherto undocumented malware, including an information stealer, a tool equipped with malware anti-analysis features, and a new server infrastructure with significant overlaps to its older espionage framework.
“The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe,” Cybereason researchers said in an analysis yesterday.
Last week, the FBI and departments of Defense and Homeland Security jointly released a memo detailing Kimsuky’s tactics, techniques, and procedures (TTPs).
Leveraging spear-phishing and social engineering tricks to gain the initial access into victim networks, the APT has been known to specifically target individuals identified as experts in various fields, think tanks, the cryptocurrency industry, and South Korean government entities, in addition to posing as journalists from South Korea to send emails embedded with BabyShark malware.
In recent months, Kimsuky has been attributed to a number of campaigns using coronavirus-themed email lures containing weaponized Word documents as their infection vector to gain a foothold on victim machines and launch malware attacks.
“Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions,” the Cybersecurity and Infrastructure Security Agency (CISA) said.
Now according to Cybereason, the threat actor has acquired new capabilities via a modular spyware suite called “KGH_SPY,” allowing it to carry out reconnaissance of target networks, capture keystrokes, and steal sensitive information.
Besides this, the KGH_SPY backdoor can download secondary payloads from a command-and-control (C2) server, execute arbitrary commands via cmd.exe or PowerShell, and even harvest credentials from web browsers, Windows Credential Manager, WINSCP, and mail clients.
Also of note is the discovery of a new malware named “CSPY Downloader” that’s designed to thwart analysis and download additional payloads.
Lastly, Cybereason researchers unearthed a new toolset infrastructure registered between 2019-2020 that overlaps with the group’s BabyShark malware used to previously target US-based think tanks.
“The threat actors invested efforts in order to remain under the radar, by employing various anti-forensics and anti-analysis techniques which included backdating the creation/compilation time of the malware samples to 2016, code obfuscation, anti-VM and anti-debugging techniques,” the researchers said.
“While the identity of the victims of this campaign remains unclear, there are clues that can suggest that the infrastructure targeted organizations dealing with human rights violations.”