Happy Patch Tuesday!
Chrome 0day exploit shared on Twitter per Threatpost
A security researcher perhaps a little too eagerly shared their Pwn2Own discovery by tweeting a link to the exploit code yesterday. The code is for a remote code execution vulnerability that affects current versions of browsers using Chromium, like Google Chrome but also Mucrosoft Edge and others. Potentially all kinds of bad.
Now, Pwn2Own rules are that companies get notified before the bug gets dropped, so they can make and issue patches. That was the intention but the patch had not yet been deployed into official releases of the browsers. Oops 😬 Google will be releasing a new version of Chrome today which may or may not fix it. The upside fwiw is that the code shared is not “fully weaponized” ie it is not a full exploit chain capable of escaping the sandbox.
NAME:WRECK vulnerabilities impact IoT/OT per ZDNet
From the things that brought you Urgent/11 and Ripple20, now there’s NAME:WRECK. Vulnerabilities in millions of IoT devices that could let attackers disable them or control them remotely, ultimately gaining more network access. Nine vulnerabilities, four TCP/IP stacks, and potentially 100 million devices used by consumers, industry and enterprise.
Security patches are available but unlike with IT, it’s not a simple process for IoT or OT. Chances are that many will remain unpatched rather than risk breaking software, configurations and older equipment that has been painstakingly put in place. At high risk will be healthcare, already hard hit by ransomware attacks. Network segmentation and monitoring network traffic will provide mitigation when patching can’t be done.
Watch for the QBot / IcedID rotation per Bleeping Computer
Just to mix it up, malware operators are shuffling between IcedID (kinda the new Emotet) and QBot banking trojans. Both are nasty, multi-stage attack functional and will deliver a ransomware payload. and both are using Ettersilent, an increasingly popular service to build malicious documents.