Updated: May 19
In the Spotlight This Week:
Google patches exploited Chrome browser zero-day vulnerability
Microsoft account hijack vulnerability earns bug bounty hunter USD 50,000
Ryuk ransomware uses a new trick to encrypt your network
Hackers exploit websites, giving them excellent SEO before deploying malware
Google has warned of reports that a zero-day vulnerability in the Chrome browser is being actively exploited in the wild. Google has labeled the vulnerability as a "high" severity security flaw and has fixed the issue in the latest Chrome release. Google's announcement also marked the release of Chrome 89 to the stable desktop channel for Windows, Mac, and Linux machines, which is currently rolling out. Users should upgrade to Chrome 89.0.4389.72 once available.
Microsoft has awarded a bug bounty hunter USD 50,000 for disclosing a vulnerability leading to account hijacking. Discovered by researcher Laxman Muthiyah, the security flaw could have allowed anyone to take over any Microsoft account without consent or permission. In order to reset a password for a Microsoft account, the company requires an email address or phone number to be submitted through a "Forgotten Password" page. A seven-digit security code is then sent as a method of verification and needs to be provided in order to create a new password. Utilizing a brute-force attack to obtain the seven-digit code would lead to password resets without the account owner's permission. However, to stop these attacks in their tracks, rate limits, encryption, and checks are imposed. After examining Microsoft's defenses, Muthiyah was able to work out the company's encryption and automate the entire process from encrypting the code to sending multiple concurrent requests. The patch was issued in November 2020.
A new version of Ryuk ransomware is equipped with an additional worm-like capability to spread itself around infected networks, potentially making it even more dangerous than it was before. Like other forms of ransomware, Ryuk encrypts a network, rendering systems useless and the cyber criminals behind the attack demand a payment in exchange for the decryption key. This demand can stretch into millions of dollars. The ransomware can propagate itself across the network using Wake-on-LAN, a feature that enables Windows computers to be turned on remotely by another machine on the same network. By spreading to every reachable machine on the network, the Ryuk attack can be much more damaging.
Cyberattackers have turned to search engine optimization (SEO) techniques to deploy malware payloads to as many victims as possible. According to Sophos, the so-called search engine "deoptimization" method includes both SEO tricks and manipulating human psychology to push websites that have been compromised up Google's rankings. SEO optimization is used by webmasters to legitimately increase their website's exposure on search engines such as Google or Bing. However, Sophos says that threat actors are now tampering with the content management systems (CMS) of websites to serve financial malware, exploit tools, and ransomware. The technique involves deployment of the infection framework for the Gootkit Remote Access Trojan (RAT) which also delivers a variety of other malware payloads.
The use of SEO as a technique to deploy Gootkit RAT requires network maintenance of more than 400 servers at any given time for success.
Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.