Apple, Google and incomplete CVEs || Ransomware in the time of SaaS
CyberInsights #113 - How big tech's disclosure policy could leave you in a soup || Ransomware as a service is increasing the risk for every organisation
Apple and Google’s vulnerabilities were related to the same library - WebP
But they chose to disclose different CVEs. An omission so serious that it can leave you vulnerable to Pegasus.
Nope, I am not exaggerating. Read this very interesting piece by Dan Goodin on ArsTechnica [LINK]
Apple released their bug. Google released their bug. Both chose separate CVEs. Neither disclosed that the bug could be related to the WebP library — a library used to read and write most image formats. This library is used by hundreds of other applications. The CVE-2023-4863 has this description on the CVE database:
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
This means that it is a no-user-action-required kind of bug.
Since both Google and Apple did not disclose the link to WebP and chose their own CVEs (Apple’s CVE — CVE-2023-41064), the security researchers who discovered the connection (Rezillion) say this:
“Since the vulnerability is scoped under the overarching product containing the vulnerable dependency, the vulnerability will only be flagged by vulnerability scanners for these specific products,” Rezillion researchers Ofri Ouzan and Yotam Perkal wrote. “This creates a HUGE blindspot for organizations blindly relying on the output of their vulnerability scanner.”
Take Action:
Sometimes, you cannot rely just on the output of our vulnerability scanner. Keep yourself up to date with the news going around. ArsTecnica and Dan Goodin are a must follow.
The ArsTechnica article has a list of products that could potentially be impacted. Read the list and check if you are using any. If you are, reach out to the developer.
Check if your organisation is using the WebP library for anything.
Bunnyloader and Snatch — more ransomware to deal with
Evidently, Ransomware as a Service is lucrative business.
BunnyLoader is a new malware as a service that has advanced capabilities. [LINK]
Among its other capabilities include running remote commands on the infected machine, a keylogger to capture keystrokes, and a clipper functionality to monitor the victim's clipboard and replace content matching cryptocurrency wallet addresses with actor-controlled addresses.
Not bad, considering that a lifetime license is US$ 250.
The Snatch ransomware, meanwhile seems to have ownership issues. Read this interesting article by Brian Krebs [LINK]. Snatch restarts Windows machines in safe mode and then installs the ransomware to avoid pesky anti malware software. :)
Take Action:
I rarely write about Ransomware, since it is well covered by most threat feeds and news services. However, the ease with which amateurs can deploy ransomware means the threat level for every organisation has increased. Take all the necessary steps - awareness, backup, 2FA, not using Windows RDP :).
Anyway, October is cyber security awareness month, right?
The WebP vulnerability piece is gripping, and the linked ArsTecnica post is a great rundown - thanks for sharing it.