Perpetual IT

Google has just patched Chrome’s eighth zero-day hole of the year so far.

Zero-days are bugs for which there were zero days you could have updated proactively…

…because cybercriminals not only found the bug first, but also figured out how to exploit it for nefarious purposes before a patch was prepared and published.

So, the quick version of this article is: go to Chrome’s Three-dot menu (⋮), choose Help > About Chrome, and check that you have version 107.0.5304.121 or later.

Uncovering zero-days

Two decades ago, zero-days often became widely known very quickly, typically for one (or both) of two reasons:

• A self-spreading virus or worm was released to exploit the bug. This tended not only to draw attention to the security hole and how it was being abused, but also to ensure that self-contained, working copies of the malicious code were blasted far and wide for researchers to analyse.
• A bug-hunter not motivated by making money released sample code and bragged about it. Paradoxically, perhaps, this simultaneously harmed security by handing a “free gift” to cybercriminals to use in attacks right away, and helped security by attracting researchers and vendors to fix it, or come up with a workaround, quickly.

These days, the zero-day game is rather different, because contemporary defences tend to make software vulnerabilities harder to exploit.

Today’s defensive layers include: additional protections built into operating systems themselves; safer software development tools; more secure programming languages and coding styles; and more powerful cyberthreat prevention tools.

In the early 2000s, for instance – the era of super-fast-spreading viruses such as Code Red and SQL Slammer – almost any stack buffer overflow, and many if not most heap buffer overflows, could be turned from theoretical vulnerabilities into practicable exploits in quick order.

In other words, finding exploits and “dropping” 0-days was sometimes almost as simple as finding the underlying bug in the first place.

And with many users running with Administrator privileges all the time, both at work and at home, attackers rarely needed to find ways to chain exploits together to take over an infected computer completely.

But in the 2020s, workable remote code execution exploits – bugs (or chains of bugs) that an attacker can reliably use to implant malware on your computer merely by luring you to view a single page on a booby-trapped website, for example – are generally much harder to find, and worth a lot more money in the cyberunderground as a result.

Simply put, those who get hold of zero-day exploits these days tend not to brag about them any more.

They also tend not to use them in attacks that would make the “how and why” of the intrusion obvious, or that would lead to working samples of the exploit code becoming readily available for analysis and research.

As a result, zero-days often get noticed these days only after a threat response team is called into investigate an attack that’s already succeeded, but where common intrusion methods (e.g. phished passwords, missing patches, or forgotten servers) don’t seem to have been the cause.

Buffer overflow exposed

In this case, now officially designated CVE-2022-4135, the bug was reported by Google’s own Threat Analysis Group, but wasn’t found proactively, given that Google admits that it is “aware that an exploit […] exists in the wild.”

The vulnerability has been given a High severity, and is described simply as: Heap buffer overflow in GPU.

Buffer overflows generally mean that code from one part of a program writes outside the memory blocks officially allocated to it, and tramples on data that will later be relied upon (and will therefore implicitly be trusted) by some other part of the program.

As you can imagine, there’s a lot that can go wrong if a buffer overflow can be triggered in a devious way that avoids an immediate program crash.

The overflow could be used, for example, to poison a filename that some other part of the program is about to use, causing it to write data where it shouldn’t; or to alter the destination of a network connection; or even to change the location in memory from which the program will execute code next.

Google doesn’t explicitly say how this bug could be (or has been) exploited, but it’s wise to assume that some sort of remote code execution, which is largely synonymous with “surreptitious implantation of malware”, is possible, given that the bug involves mismanagment of memory.

What to do?

Chrome and Chromium get updated to 107.0.5304.121 on Mac and Linux, and to 107.0.5304.121 or 107.0.5304.122 on Windows (no, we don’t know why there are two different versions), so be sure to check that you have version numbers equal to or more recent than those.

To check your Chrome version, and force an update if you’re behind, go to the Three-dot menu (⋮) and choose Help > About Chrome.

Microsoft Edge, as you probably know, is based on the Chromium code (the open-source core of Chrome), but hasn’t had an official update since the day before Google’s threat researchers logged this bug (and hasn’t had an update that explicitly lists any security fixes since 2022-11-10).

So, we can’t tell you whether Edge is affected, or whether you should expect an update for this bug, but we recommend keeping an eye on Microsoft’s official release notes just in case.

SPOTLIGHT ON CYBERTHREATS

Security specialist John Shier tells you the “news you can really use” – how to boost your cybersecurity based on real-world advice from the 2023 Sophos Threat Report.

With Paul Ducklin and John Shier. Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.

READ THE TRANSCRIPT

Over the past year, we’ve had the unfortunate need to warn our readers not once, but twice, about a scam we’ve dubbed CryptoRom, a portmanteau word formed from the terms “Cryptocurrency” and “Romance scam”.

Simply put, these scammers use a variety of techniques, notably including prowling on dating sites, to meet people online, form a friendship…

…not with the intention of drawing their victims into a “we’ve fallen in love, now send money” romance scam, but instead to earn their trust and lure them into bogus investments “managed” via fraudulent mobile phone apps.

Intriguingly, the crooks even target iPhone users, despite the fact that ripoff financial apps are difficult to sneak into Apple’s App Store, and Apple doesn’t allow its users to download apps from anywhere else.

Sadly, and ironically, the CryptoRom gangs have turned Apple’s strictness into a sort of sales schpiel: if anyone and everyone could download their “investment” apps, that would spoil the exclusivity, so the apps are only available by invitation, directly from the “investment” group.

SophosLabs has tracked these criminals using Apple’s business and developer toolkits to bypass the App Store, using systems such as Apple’s Enterprise Provisioning system, which allows phones directly managed by a business to install proprietary apps:

The crooks have also used Apple’s development tool TestFlight, where unreleased apps can be provided for a limited time to invited, consenting partcipants:

As an aside that we can’t bring ourselves not to mention: the Sophos researchers who wrote the two papers referenced above won the prestigious 2022 Péter Szőr Award, presented at the annual Virus Bulletin conference for the best technical research of the year.

Winning your trust

Obviously, this means buying into a scammer’s instructions not merely to install an app you’ve never heard of, but to do so by essentially committing your entire device to their control, either via Enterprise Provisioning or by enrolling in a development process that would normally only be recommended for devices dedicated to coding and testing.

That’s why the scammers win your trust first, for example by befriending you via a dating site, so that you’re willing to accept what sounds like an obvious technical risk.

The crooks parlay the curious installation process into what sounds like an online privilege: the unusual way of acquiring the app is pitched as a way to join an exciting online investment vehicle that isn’t available via Apple precisely because it’s financial dynamite that’s not available to just anyone!

The “romance” in a CryptoRom scam isn’t tugging at your heart strings, but at your wallet strings.

You can probably imagine how the scam plays out from here.

A carefully concocted pack of lies

The app looks and behaves like a legitimate investment product, hooked up directly to an online web backend that processes deposits, calculates growth, allows deposits, displays real-time graphs…

…all presented with branding that is typically dolled up to look like an official, well-regulated service or stock exchange.

But the app, the “exchange” that backs it, the logos, the branding, and the enticingly upward direction of your account balance are all completely bogus.

In five words, the entire thing is a carefully concocted pack of lies.

Your initial investment shows up right away; the crooks may even offer to “boost” your account with a loan or a staking bonus, which might sound too good to be true but will nevertheless show up in your “account” as promised.

The crooks may even allow you to make withdrawals at first, to build trust and confidence.

This is a common ploy in so-called Ponzi or pyramid schemes – in truth, of course, the scammers are merely giving you some of your own money back.

But they then quickly show your account surging, inviting you to imagine how much more you could be making if only you’d re-deposit your recent withdrawal, and perhaps whack some more on top of that as well.

Heck, why not borrow from your friends and family (but don’t let them in on the whole story or they’ll all want to join in, eh?) and double, triple, quadruple all that money as well?

And that’s not all…

Sadly, that’s not all, because there’s a sting in the tail, too.

When you try to withdraw your “funds”, there’s suddenly a government witholding tax, usually of 20%, on the funds you want to access – something that’s admittedly not unusual in countries with investment charges such as Capital Gains Tax.

Except that it’s not a witholding tax at all, as you might at first expect (that’s where the government’s cut is simply deducted, or witheld, from the amount you want to withdraw, and the rest comes to you).

The crooks tell you that the funds are frozen for regulatory reasons, so they can’t be used to offset the amount you “owe”.

You have to pay the amount first, in a transaction of its own, in order unfreeze the funds before they can be withdrawn in a second transaction.

The crooks will typically pile on the pressure here, warning that you risk losing everything in your “account”, both your own money that you’ve paid in already, and the “capital gains” you think you’ve accumulated.

As the SophosLabs researchers explain, if the crooks think that they genuinely can’t squeeze you for the entire 20%, because they’ve almost bled you dry already, they’ll even pretend to “help” by rallying together their “friends” to lend you some of the money you need to get your “investment” out, until they really have drained you for every drop:

The theory, of course, is that after you’ve paid the 20% “tax”, you will get access to 100% of the “balance” in your account, leaving plenty of funds on hand not only to pay off the loans that made it all possible, but also to cash out to your own considerable advantage.

Tragically, this is a made-up example of how scams like this typically unfold:

Action "Balance" Amount at stake "Cashout" deductions
--------------------------------- --------- ------------------ --------------------
$10,000 paid in + $30,000 "loan" -> $ 40,000 YOUR STAKE $10,000 DEDUCT $30,000 Your graph shows you are doing well! Synthetic 2x boost in value -> $ 80,000 YOUR STAKE $10,000 DEDUCT $30,000 What if it's all phoney? Withdraw $5000 as "test of truth" -> $ 75,000 YOUR STAKE $ 5,000 DEDUCT $30,000 Big growth event coming, crooks go on a
charm offensive, tell you to invest more! Pay the $5000 withdrawal back in, add $10,000 on top, plus
another $20,000 "loan" -> $111,000 YOUR STAKE $20,000 DEDUCT $50,000 Synthetic 3x boost in value -> $ 333,000 YOUR STAKE $20,000 DEDUCT $50,000 Woo-hoo! Time to cash out! 20% "unfreezing" tax comes to $66,600
Crooks realise you genuinely can't come up with that much, but figure you can squeeze some money out by hitting up friends, etc. for $20,000 if they "offer" to find $46,000. You pay $20,000 + $46,600 "loan" -> $ 333,000 YOUR STAKE $40,000 DEDUCT $96,000 After withdrawal and "paying back" the $96,000, you will be still be left with $237,000, which gives you a "profit" of $197,000 after deducting your outgoings of $40,000! Withdraw $333,000 less "loans" -> GAME OVER. INSERT MORE COINS TO RESUME GAME. 

The sting in the tail of the tail

Even worse, there’s even a sting in the tail of the tail.

Once you realise you’ve been scammed, you may miraculously be contacted by someone who sympathises with your plight (perhaps it recently happened to them?) and knows just the service for you…

..cryptocurrency recovery!

We all know that cryptocoins, by design, are largely unregulated, pseudo-anonymous, and anywhere from hard to almost impossible to trace and recover.

Yet we also know that cryptocoin recoveries do sometimes happen, occasionally in astonishing amounts and after lengthy periods, like the fund recovered from wannabe rap star Crocodile Of Wall Street and her husband, or from Silk Road cryptorobber James Zhong, who hid $3 billion in bitcoins in a popcorn tin for almost a decade:

Sadly, if you go down the “recovery service” rabbit hole, you will just be pouring yet more good money after bad, and your overall losses will be even more catastrophic.

Hot on the trail

Here’s some good news to follow the bad: the US Department of Justice (DOJ) is taking on at least one group of CryptoRom scammers.

The DOJ refers to this sort of scam as “pig butchering”, which is a metaphor apparently chosen by the scammers themselves to mock their victims: in Chinese, the technique is known as 杀猪盘 (sha zhu pan), something we’d probably refer to as a “chopping block” in English, but that literally translates as “pork butchering plate”.

In a report this week, the DOJ describes a takedown of seven CryptoRom-related web domains that it alleges were used over a period of at least four months (May to Augut 2022) to rip off at least five victims in the US alone. (We assume there were numerous victims from other countries, but the DOJ report relates to victims in its juridiction.)

The domains were rigged up to look like web pages of an official Singapore financial exchange, and allegedly helped in conning victims out of over $10,000,000.

This follows a DOJ action last month in which 11 people were arrested in connection with these “chopping block” attacks and charged with with ripping off more than 200 people in the US of close to $18,000,000.

The 11 defendants were also charged with acting as money laundering “mules”, who illegally passed more than $52,000,000 through bank accounts opened up using forged or stolen identity documents, receiving a percentage of the amount laundered in payment.

As we’ve mentioned before, money laundering services of this sort are widely used by cybercriminals to exfiltrate illicit deposits out of the banking system before the fraud gets spotted and the bogus transactions get frozen or reversed.

Business Email Compromise (BEC) scammers, for instance, operate by tricking companies into paying invoices (they typically focus on high-value sums, sometimes into the millions of pounds or dollars) into the wrong bank account.

From there, they use the assistance of “money mules” to get those misdirected funds withdrawn from the banking system before the deception can be prevented:

What to do?

• Take your time when online talk turns from romance, love, or even plain friendship, to money. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you, and don’t let yourself be mesmerised by their “investment advice”. It’s easy for scammers to pitch themselves as kindred spirits if they’ve studied at your social networking or dating site profiles in advance.
• Never give administrative control over your phone to someone with no genuine reason to have it. Never click [Trust] on a dialog that asks you to enrol in remote management unless it’s from someone you already have an employment contract with, the conditions have been clearly explained to you in advance, and you understand and accept the business reasons for enrolling your phone.
• Don’t be deceived by messaging inside the app itself. Don’t let by icons, graphs, names and text messages inside an app trick you into assuming it has the credibility it claims. (If I show you a picture of a pot of gold, that doesn’t mean I own a pot of gold.)
• Don’t be fooled because a scam website looks well-branded and professional. Setting up a website with live graphs, investment pages and “account” management tools is easier than you think. Crooks can readily copy official logos, taglines, branding and even JavaScript code from the real site, and modify it to suit their malicious purposes.
• Listen openly to your friends and family if they try to warn you. Online scammers think nothing of deliberately setting you against your family as part of their scams. They may even “counsel” you not to let your friends and family in on your “secret”, pitching their investment proposal as something exclusive: a good fit for you, but not open to just anyone. Don’t let the scammers drive a wedge between you and your family as well as between you and your money.

LEARN MORE ABOUT RELATIONSHIP SCAMS:

Just under two months ago, some worrying bug news broke: a pair of zero-day vulnerabilities were announced in Microsoft Exchange.

As we advised at the time, these vulnerabilities, officially designated CVE-2022-41040 and CVE-2022-41082:

[were] two zero-days that [could] be chained together, with the first bug used remotely to open enough of a hole to trigger the second bug, which potentially allows remote code execution (RCE) on the Exchange server itself.

The first vulnerability was reminiscent of the troublesome and widely-abused ProxyShell security hole from back in August 2021, because it relied on dangerous behaviour in Exchange’s Autodiscover feature, described by Microsoft as a protocol that is “used by Outlook and EAS [Exchange ActiveSync] clients to find and connect to mailboxes in Exchange”.

Fortunately, the Autodiscover misfeature that could be exploited in the ProxyShell attack by any remote user, whether logged-in or not, was patched more than a year ago.

Unfortunately, the ProxyShell patches didn’t do enough to close off the exploit to authenticated users, leading to the new CVE-2022-40140 zero-day, which was soon laconically, if misleadingly, dubbed ProxyNotShell.

Not as dangerous, but dangerous nevertheless

Clearly, ProxyNotShell was nowhere near as dangerous as the original ProxyShell, given that it required what’s known as authenticated access, so it wasn’t open to abuse by just anybody from anywhere.

But it quickly transpired that on many Exchange servers, knowing any user’s logon name and password would be enough to pass as authenticated and mount this attack, even if that user would themselves need to use two-factor authentication (2FA) to logon properly to access their email.

As Sophos expert Chester Wisniewski put it at the time:

It’s a “mid-authentication vulnerability”, if you want to call it that. That is a mixed blessing. It does mean that an automated Python script can’t just scan the whole internet and potentially exploit every Exchange server in the world in a matter of minutes or hours, as we saw happen with ProxyLogon and ProxyShell in 2021. […]

You need a password, but finding one email address and password combination valid at any given Exchange server is probably not too difficult, unfortunately. And you might not have gotten exploited to date, because to successfully log into Outlook Web Access [OWA] requires their FIDO token, or their authenticator, or whatever second factor you might be using.

But this attack doesn’t require that second factor. […] Just acquiring a username and password combination is a pretty low barrier.

As you probably remember, many of us assumed (or at least hoped) that Microsoft would rush to get a fix out for the ProxyNotShell holes, given that there were still two weeks until October’s Patch Tuesday.

But we were disappointed to find that a reliable fix was apparently more complex than expected, and October came and went with ProxyNotShell addressed only by workarounds, not by proper patches.

Even November’s Patch Tuesday didn’t directly provide the needed fixes, though the patches nevertheless came out on the same day as part of an Exchange-specific security update that could be fetched and installed separately:

Proof-of-concept revealed

Now that the dust has settled and everyone has had time to patch their Exchange servers (the ones they haven’t forgotten about, at least), researchers at Zero Day Initiative (ZDI), to which these vulnerabilities were originally responsibly disclosed for submission to Microsoft, have explained how the bugs can be exploited.

The bad news, depending on your opinion of overt exploit disclosures, is that the ZDI team has now effectively provided a proof-of-concept (PoC) explaning how to attack Exchange servers.

The good news, of course, is that:

• We can now study and understand the bugs ourselves. This not only helps us all to ensure that the overall precautions we have taken (not merely limited to patching) are likely to provide the protection we expect, but also informs us of progamming practices that we will want to avoid in future, so we don’t get trapped into opening up bugs of this sort in our own server-side code.
• We now have no excuses left for not applying the patches. If we’ve dragged our feet about updating, ZDI’s explanation of why the attack works makes it clear that the cure is definitely preferable to the disease.

How it works

ZDI’s explanation of this vulnerability makes for a fascinating tale of how complex it can be to chain together all the parts you need to turn a vulnerability into a viable exploit.

It’s also worth reading to help you understand why digging into an existing exploit can help to reveal other ways that a vulnerability could be misused, potentially prompting additional patches, urging configuration changes, and promoting new programming practices that might not have been obvious just from fixing the original hole.

The explanation is, of necessity, complicated and quite technical, and leads you forwards through a lengthy series of steps to achieve remote code execution (RCE) at the end.

In the hope of helping you follow the high-level details more easily if you decide to read the ZDI report, here’s a hopefully-not-too-simplified summary with the steps listed in reverse…

…so you will know in advance why the story takes the directions it does:

• STEP 4. Remotely trick Exchange into instantiating a .NET object of your choice, with an initialisation parameter of your choice.

In modern coding, an instantiated object is the jargon word for an allocated chunk of memory, automatically initialised with the data and resources it will need while it’s in use, and tied to a specific set of functions that can operate on it. (Instantiate is just a fancy word for create.)

Objects may be managed and controlled by the operating system itself, to help avoid the sort of memory mismanagement errors common in a language such as C, where you typically need to allocate memory yourself, fill up the relevant data fields by hand, and remember to release the memory and resources you’re using, such as network sockets or disk files, when you’re done.

Objects generally have a programmatic function associated with them called a constructor, which is automatically executed when a new object is created in order to allocate the right amount of memory and the correct set of system resources.

Usually, you need to pass one or more parameters as arguments to the constructor, to denote how you want the object to be configured when it starts out.

Simply put, if you instantiate, say, a TextString object (we’re making these names up, but you get the idea) using a parameter that is itself a text string such as example.com:8888…

…you will probably end up with a memory buffer allocated to hold your text, initialised so it holds the same value you passed in, namely the raw text example.com:8888.

In that context, the text string passed in as data to the object constructor doesn’t immediately pose any obvious cybersecurity threat when you trigger the constructor remotely, other than a possible denial of service (DoS) by repeatedly asking for bigger and bigger strings to try to exhaust memory.

But if you were to instantiate, say, a ConnectedTCPClient object using the very same text string parameter of example.com:8888, you might end up with a memory buffer ready to hold temporary data, along with a network socket allocated by the operating system that’s ready to exchange data woith the server example.com over TCP port 8888.

You can see the remote code execution risk there, even if you never get to send any data to the open socket, given that you’ve tricked the server into calling home to a location that you control.

You might even find an object called, say, RunCmdAndReadOutput, where the text string you send as a parameter is, quite literally, a command you want to run automatically as soon the object is created, so you can collect its output later.

Even if you never get to recover the output of the command, just instantiating such an object would nevertheless let you choose a command to run, thus giving you generic remote code execution and presenting a risk limited only by the access rights of the server process itself.

Of course, the attack is only this easy once you get to the last stage, which you’re not supposed to be able to do, because Exchange has a strict allowlist that prevents you from choosing any old object to instantiate.

In theory, only safe or low-risk objects can be created remotely via PowerShell, so that instantiating our imaginary TextString above, or a SimpleIntegerValue, might be considered acceptable, while a ConnectedTCPClient or a RunCmdAndReadOutput would definitely not be.

But the ZDI researchers notice that before triggered the last step, they could do this:

• STEP 3. Remotely trick Exchange into thinking that a low-risk object that’s passed the safety test is, in fact, some other object of your choice.

Even so, you might expect Exchange to prevent the remote creation even of low-risk objects, to minimise the threat even further.

But the researchers found that they could:

• STEP 2. Remotely trick Exchange into using its PowerShell Remoting feature to create an object based on initialisation parameters controlled externally.

And that was possible because of the ProxyShell-like hole that was only semi-patched:

• STEP 1. Remotely trick Exchange into accepting and processing a web request with code in by packing a valid username:password field into the request as well.

Even if the user named in the request wasn’t actually logged in, and would need to go through some sort of 2FA process to access their own mailbox, an attacker who knew their username:password combination would have enough authentication information to trick Exchange into accepting a web connection that could be used to kick off the attack chain described in steps 2 to 4 above.

Loosely speaking, any valid username:password combination would do, given that the “authentication” was needed simply to prevent Exchange from rejecting the HTTP request up front.

What to do?

Note that this attack only works:

• If you have on-premises Exchange servers. Microsoft claims to have locked down its own cloud services quickly, so Exchange Online is not affected. Make sure you know where your Exchange servers are. Even if you now use Exchange Online, you may still have on-premises servers running, perhaps left over by mistake from your migration process.
• If your servers are unpatched. Make sure you have applied the Exchange Software Update of 2022-11-08 to close off the vulnerabilities that the exploit requires.
• If your servers still accept Basic Authentication, also known as legacy authentication. Make sure you have blocked all aspects of legacy authentication so your servers won’t accept the username:password headers mentioned above, and won’t accept risky Autodiscover protocol requests in the first place. This stops attackers tricking a server into accepting their booby-trapped object instantiation tricks, even if that server isn’t patched.

You can keep track of our official prevention, remediation and response advice, and Sophos customers can keep track of the threat detection names used by our products, via the Sophos X-Ops Twitter feed (@SophosXOps).

New information has been published regarding CVE-2022-41040 and CVE-2022-41082: https://t.co/pHUVBjUeDI 1/3

— Sophos X-Ops (@SophosXOps) November 21, 2022

LEARN MORE ABOUT EXCHANGE AUTHENTICATION AND OAUTH2

With Paul Ducklin and Chester Wisniewski
Intro and outro music by Edith Mudge.