Issue 28: Google Patches Exploited Chrome Flaw, Microsoft Protects Sensitive Copilot Data, and North Korean Malware Infiltrates macOS

Top Stories 23 August 2024:

1. Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild
2. Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data
3. New macOS Malware TodoSwift Linked to North Korean Hacking Groups

Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild

Google has issued a security update to address a high-severity flaw in its Chrome browser, tracked as CVE-2024-7971. This vulnerability is a type confusion bug in the V8 JavaScript and WebAssembly engine, which could allow a remote attacker to exploit heap corruption through a specially crafted HTML page.

This issue affects Chrome versions prior to 128.0.6613.84 and was discovered and reported by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) on 19th August 2024.

?

Google has acknowledged that an exploit for CVE-2024-7971 is already being used in the wild, but further details about the attacks or the threat actors involved have not been disclosed to ensure that users have time to apply the fix. Notably, this is the third type confusion bug in V8 that Google has patched this year, following CVE-2024-4947 and CVE-2024-5274.

?

Since the beginning of 2024, Google has addressed nine zero-day vulnerabilities in Chrome, including several others identified at the Pwn2Own 2024 competition, such as CVE-2024-0519, CVE-2024-2886, and CVE-2024-3159.

Users should update to Chrome version 128.0.6613.84/.85 on Windows and macOS, and 128.0.6613.84 on Linux to mitigate these risks. Also, users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should apply the fixes as soon as they are available.

TLDR;

• Google has released a critical security update for Chrome to fix a high-severity vulnerability, CVE-2024-7971, that could allow remote exploitation, urging users to update their browsers immediately.

Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data

Researchers have uncovered a critical vulnerability in Microsoft’s Copilot Studio, identified as CVE-2024-38206, with a CVSS score of 8.5. This flaw is an information disclosure bug caused by a server-side request forgery (SSRF) attack. Microsoft detailed in an advisory on 6th August 2024 that an authenticated attacker could exploit this vulnerability to bypass SSRF protection, thereby leaking sensitive information over a network.

?

The vulnerability utilises Copilot’s ability to make external web requests. This SSRF protection bypass could be used to access Microsoft’s internal infrastructure for Copilot Studio, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances. Through this technique, attackers could retrieve instance metadata in a Copilot chat message, potentially obtaining managed identity access tokens. These tokens could then be exploited to gain read/write access to internal resources like Cosmos DB instances.

?

While the attack does not permit access to cross-tenant information, the shared infrastructure of the Copilot Studio service means that multiple customers could be affected if attackers gain elevated access to Microsoft’s internal systems. Microsoft has addressed the vulnerability, requiring no action from customers.

?

This disclosure coincides with Tenable’s report on two now-patched vulnerabilities in Microsoft’s Azure Health Bot Service (CVE-2024-38109), and Microsoft’s announcement of mandatory multi-factor authentication (MFA) for all Azure customers, starting in October 2024, as part of its Secure Future Initiative (SFI).

TLDR;

• Researchers have discovered a critical vulnerability in Microsoft's Copilot Studio (CVE-2024-38206) that could allow attackers to bypass SSRF protection and access sensitive internal resources, which Microsoft has patched without requiring customer action.

New macOS Malware TodoSwift Linked to North Korean Hacking Groups

Cybersecurity researchers have identified a new macOS malware strain named TodoSwift, which shares similarities with malware linked to North Korean hacking groups, particularly the BlueNoroff subgroup of the Lazarus Group. Kandji security researcher Christopher Lopez highlighted that TodoSwift exhibits behaviours common to other North Korean-originated malware, such as KANDYKORN and RustBucket.

?

RustBucket, first identified in July 2023, is an AppleScript-based backdoor capable of fetching additional malicious payloads from a command-and-control (C2) server. Similarly, KANDYKORN, discovered by Elastic Security Labs in late 2023, is a sophisticated multi-stage malware that can exfiltrate data, terminate processes, and execute commands on the infected macOS system. Both malware families are linked by their use of linkpc[.]net domains for C2 operations and are attributed to the Lazarus Group.

?

The North Korean regime, via hacking units like Lazarus, continues to target cryptocurrency businesses to steal funds and bypass international sanctions. These attacks often lure victims, such as blockchain engineers, with promises of financial gain.

?

The newly discovered TodoSwift is distributed as a signed file named TodoTasks, containing a dropper component. This GUI application, written in SwiftUI, displays a benign Bitcoin-related PDF document hosted on Google Drive, while covertly downloading and executing a second-stage binary from a domain controlled by the attackers (“buy2x[.]com”). The malware collects system information and can communicate with its C2 server, passing the C2 URL as a launch argument to the second-stage binary, a tactic consistent with previous DPRK macOS malware.

TLDR;

• Researchers have identified a new macOS malware strain named TodoSwift, linked to North Korean hacking groups like Lazarus, which disguises itself as a Bitcoin-related app to secretly download and execute malicious payloads.

That's all folks!

Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Martin Vondrous (SOC Analyst).

If you like what you've read, subscribe so you don't miss next week's roundup!