What a tough few days for Google.
The tech giant patched a zero-day exploiting the Chrome browser late last week, admitted in its April 2023 Threat Horizons Report released Friday that Chinese threat group APT41 abused its open-source Google Command and Control (GC2) red-teaming tool in malware attacks, and on April 18 reported yet another Chrome zero-day it needed to patch.
The new zero-day — CVE-2023-2136 — was described by NIST’s National Vulnerability Database as an integer overflow that appeared in the Skia open-source graphics platform in Google Chrome prior to version 112.0.5615.137.
NIST said the vulnerability would let a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The vulnerability was described as “high severity” and Google acknowledged that it was exploited in the wild. No CVSS score has been issued yet.
For the April 18 bug, Google issued a stable channel update with eight security fixes to version 112.0.5615.137/138 for Windows and 112.0.5615.137 for Macs, which will roll out over the coming days. A patch for Linux will come a bit later.
Skia is an open-source 2D graphics library which delivers common APIs that work across a variety of hardware and software platforms. It serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and many other products.
An integer overflow can happen if a program performs a calculation and the true answer is larger than the available space. Such integer overflows can cause a program to use incorrect numbers and respond in unintended ways, which are then open to exploitation by attackers.
Chrome is the most broadly used web browser by a considerable margin, which makes it a natural target for threat actors, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said the nature of browsers also makes them an expected target, since there are so many potential avenues of attack.
“Google's been good about patching Chrome quickly when issues come up, which is fortunate,” said Parkin. “While it seems there have been a lot of Chrome vulnerabilities of late, it strikes me that it's part of the usual ebb and flow and not the result of long-term issues in Chrome.”
Browser-based vulnerabilities are an attractive target for malicious actors, given that they are installed everywhere and used frequently, said Melissa Bischoping, director, endpoint security research at Tanium. As with many bugs, Bischoping said when one gets discovered by a researcher or from artifacts of a known attack, this leads to additional scrutiny and analysis that may identify multiple adjacent or similar bugs.
“While Google doesn't immediately make details available about these bugs, the good news is that Chrome is quick to update once patches are available,” said Bischoping. “For most organizations, applying browser patches is low-risk to operational continuity and an easy win to reduce vulnerability exposure in your environment. This is mostly business as usual for Chrome patching. Google's following their standard procedure for disclosure/patch.”
Adoption of GC2 a shift in tactics for Chinese APT group
On the APT41 case, Matt Mullins, senior security researcher at Cybrary, explained that the Chinese threat group’s use of GC2 represents a shift into using more novel and off-the-shelf modern open-source projects. Mullins said while most of the APT pool still relies on certain tried-and-true approaches, such as using PowerShell and macros, this shift in tactics shows a willingness to change approaches.
“The GC2 program isn't anything revolutionary to the red-team community as the utilization of covert channels as a non-standard C2 is something that good red teams have been organically developing for years now,” said Mullins.
The tool, which uses Google’s trusted domains and applications, allows for the masquerading of legitimacy, said Mullins. This approach exposes an Achilles heel to using major providers like Google and Microsoft — enterprises essentially have to whitelist all domains and subdomains associated with these companies.
“By doing so, any service that can be abused is a free hall pass for attackers,” said Mullins. “I have personally used this on my own operations before and can say that it leaves even the best defenders blind to C2 communications. The application also uses Go, which is a Google language, and in a similar vein it is a known compiled language to red teams. Go provides nice cross-compatibility with less robust detection maturity in most organizations. All of this makes for a great initial malware payload.”