Cybersecurity researchers have uncovered new variants of the ChromeLoader information-stealing malware, highlighting its evolving feature set in a short span of time.
Primarily used for hijacking victims' browser searches and presenting advertisements, ChromeLoader came to light in January 2022 and has been distributed in the form of ISO or DMG file downloads advertised via QR codes on Twitter

Cybersecurity researchers have uncovered new variants of the ChromeLoader information-stealing malware, highlighting its evolving feature set in a short span of time.

Primarily used for hijacking victims' browser searches and presenting advertisements, ChromeLoader came to light in January 2022 and has been distributed in the form of ISO or DMG file downloads advertised via QR codes on Twitter and free gaming sites.

ChromeLoader has also been codenamed Choziosi Loader and ChromeBack by the broader cybersecurity community. What makes the adware notable is that it's fashioned as a browser extension as opposed to a Windows executable (.exe) or Dynamic Link Library (.dll).

Besides requesting invasive permissions to access browser data and manipulate web requests, it's also designed to capture users' search engine queries on Google, Yahoo, and Bing, effectively allowing the threat actors to harvest their online behavior.

While the first Windows variant of ChromeLoader malware was spotted in January, a macOS version of the malware emerged in March to distribute the rogue Chrome extension (version 6.0) in the form of disk image (DMG) files.

But a new analysis from Palo Alto Networks Unit 42 indicates that the earliest known attack involving the malware occurred in December 2021 using an AutoHotKey-compiled executable in place of the later-observed ISO files.

"This malware was an executable file written using AutoHotKey (AHK) — a framework used for scripting automation," Unit 42 researcher Nadav Barak said, adding it was used to drop "version 1.0" of the browser add-on.

This first version is also said to lack obfuscation capabilities, a feature that has been picked up in subsequent iterations of the malware to conceal its purpose and malicious code.

Also observed in March 2022 was a previously undocumented campaign using the 6.0 version of the Chrome extension and relies on an ISO image that contains a seemingly benign Windows shortcut, but, in reality, acts as a conduit to launch a hidden file in the mounted image which deploys the malware.

"This malware demonstrates how determined cybercriminals and malware authors can be: In a short time period, the authors of ChromeLoader released multiple different code versions, used multiple programming frameworks, enhanced features, advanced obfuscators, fixed issues, and even adding cross-OS support targeting both Windows and macOS," Barak said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover New Variants of the ChromeLoader Browser Hijacking Malware

Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class. Apache Tapestry 5.8.2 has a fix for this vulnerability. Notice the vulnerability cannot be triggered by web requests in Tapestry code alone. It would only happen if there's some non-Tapestry codepath passing some outside input to the ContentType class constructor.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2022-31781: security - [CVE-2022-31781] Apache Tapestry denial of service vulnerability

Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild.
Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one

Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild.

Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one of which plugs another zero-day flaw that Google disclosed as being actively exploited in real-world attacks.

Top of the list of this month's updates is CVE-2022-22047 (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem (CSRSS) that could be abused by an attacker to gain SYSTEM permissions.

"With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools," Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. "With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly."

Very little is known about the nature and scale of the attacks other than an "Exploitation Detected" assessment from Microsoft. The company's Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have been credited with reporting the flaw.

Besides CVE-2022-22047, two more elevation of privilege flaws have been fixed in the same component — CVE-2022-22026 (CVSS score: 8.8) and CVE-2022-22049 (CVSS score: 7.8) — that were reported by Google Project Zero researcher Sergei Glazunov.

"A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM," Microsoft said in an advisory for CVE-2022-22026.

"Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment."

Also remediated by Microsoft include a number of remote code execution bugs in Windows Network File System (CVE-2022-22029 and CVE-2022-22039), Windows Graphics (CVE-2022-30221), Remote Procedure Call Runtime (CVE-2022-22038), and Windows Shell (CVE-2022-30222).

The update further stands out for patching as many as 32 issues in the Azure Site Recovery disaster recovery service. Two of these flaws are related to remote code execution and the remaining 30 concern privilege escalation.

"Successful exploitation \[...\] requires an attacker to compromise admin credentials to one of the VMs associated with the configuration server," the company said, adding the flaws do not "allow disclosure of any confidential information, but could allow an attacker to modify data that could result in the service being unavailable."

On top of that, Microsoft's July update also contains fixes for four privilege escalation vulnerabilities in the Windows Print Spooler module (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226) after a brief respite in June 2022, underscoring what appears to be a never-ending stream of flaws plaguing the technology.

Rounding off the Patch Tuesday updates are two notable fixes for tampering vulnerabilities in the Windows Server Service (CVE-2022-30216) and Microsoft Defender for Endpoint (CVE-2022-33637) and three denial-of-service (DoS) flaws in Internet Information Services (CVE-2022-22025 and CVE-2022-22040) and Security Account Manager (CVE-2022-30208).

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Cisco
*   Citrix
*   Dell
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   Intel
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens, and
*   VMware

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.

**Microsoft** today released updates to fix at least 86 security vulnerabilities in its **Windows** operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block **macros** in **Office** documents downloaded from the Internet.

In February, security experts hailed Microsoft’s decision to block VBA macros in all documents downloaded from the Internet. The company said it would roll out the changes in stages between April and June 2022.

Macros have long been a trusted way for cybercrooks to trick people into running malicious code. Microsoft Office by default warns users that enabling macros in untrusted documents is a security risk, but those warnings can be easily disabled with the click of button. Under Microsoft’s plan, the new warnings provided no such way to enable the macros.

As _Ars Technica_ veteran reporter **Dan Goodin** put it, “security professionals—some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity—cheered the change.”

But last week, Microsoft abruptly changed course. As first reported by _BleepingComputer_, Redmond said it would roll back the changes based on feedback from users.

“While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros,” Bleeping’s **Sergiu Gatlan** wrote.

Microsoft later said the decision to roll back turning off macros by default was temporary, although it has not indicated when this important change might be made for good.

The zero-day Windows vulnerability already seeing active attacks is CVE-2022-22047, which is an elevation of privilege vulnerability in all supported versions of Windows. Trend Micro’s **Zero Day Initiative** notes that while this bug is listed as being under active attack, there’s no information from Microsoft on where or how widely it is being exploited.

“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” ZDI’s Dustin Childs wrote. “Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default.”

**Kevin Breen**, director of cyber threat research at **Immersive Labs**, said CVE-2022-22047 is the kind of vulnerability is typically seen abused after a target has already been compromised.

“Crucially, it allows the attacker to escalate their permissions from that of a normal user to the same permissions as the SYSTEM,” he said. “With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools. With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.”

After a brief reprieve from patching serious security problems in the **Windows Print Spooler** service, we are back to business as usual. July’s patch batch contains fixes for four separate elevation of privilege vulnerabilities in Windows Print Spooler, identified as CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226. Experts at security firm **Tenable** note that these four flaws provide attackers with the ability to delete files or gain SYSTEM level privileges on a vulnerable system.

Roughly a third of the patches issued today involve weaknesses in Microsoft’s Azure Site Recovery offering. Other components seeing updates this month include **Microsoft Defender for Endpoint**; **Microsoft Edge** (Chromium-based); **Office**; **Windows BitLocker**; **Windows Hyper-V**; **Skype for Business** and **Microsoft Lync**; and **Xbox**.

Four of the flaws fixed this month address vulnerabilities Microsoft rates “critical,” meaning they could be used by malware or malcontents to assume remote control over unpatched Windows systems, usually without any help from users. CVE-2022-22029 and CVE-2022-22039 affect Network File System (NFS) servers, and CVE-2022-22038 affects the Remote Procedure Call (RPC) runtime.

“Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later,” said **Greg Wiseman**, product manager at **Rapid7**. “CVE-2022-30221 supposedly affects the Windows Graphics Component, though Microsoft’s FAQ indicates that exploitation requires users to access a malicious RDP server.”

Separately, Adobe today issued patches to address at least 27 vulnerabilities across multiple products, including **Acrobat** and **Reader**, **Photoshop**, **RoboHelp**, and **Adobe Character Animator**.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Microsoft Patch Tuesday, July 2022 Edition

This Tech Tip outlines how system administrators can get started with automated continuous patching for their Windows devices and applications.

The Windows Autopatch service, which allows enterprises to automatically roll out updates for Windows 10, Windows 11, Microsoft Edge, and Microsoft 365 software, is now live, Microsoft said this week. Autopatch is intended to streamline updating operations and reduce the time it takes for systems to be patched. Originally announced in April, the feature has been in public preview since May.  

"Essentially Microsoft engineers use the Windows Update for Business client policies and deployment service tools on your behalf," wrote Lior Bela, senior product marketing manager at Microsoft, on the Microsoft IT Pro blog. "The service creates testing rings and monitors rollouts—pausing and even rolling back changes where possible."

This Tech Tip summarizes the prerequisites for using Autopatch and instructions on enabling the new feature.

**Very Specific Prerequisites**

Customers must have Windows 10/11 Enterprise E3 or E5 licenses. The organization must also have Azure Active Directory Premium and Microsoft Intune. A proxy or firewall that uses TLS 1.2 is also required.

"Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join," Microsoft said in the deployment guide.

The endpoints that will be enrolled into Windows Autopatch must be managed by either Microsoft Intune or Configuration Manager Co-Management. Intune must be set as the mobile device management (MDM) authority or co-management must be turned on and enabled on the endpoints. The endpoints being enrolled must also have connected with Microsoft Intune within the last 28 days in order to be registered with Autopatch.

The endpoints, which must be corporate-owned (bring-your-own-device is not currently supported) should have 64-bit editions of Windows 10/11 Pro, Windows 10/11 Enterprise, or Windows 10/11 Pro for Workstations. However, Windows Autopatch will support updating of Windows 365 cloud PCs in mid-July.

**Configuring the Environment**

Since Autopatch is cloud-based, there are specific Microsoft services that must be available at all times. The four URLs that must be on the allowed list of the proxy or firewall are _mmdcustomer.microsoft.com_, _mmdls.microsoft.com_, _logcollection.mmd.microsoft.com_, and _support.mmd.microsoft.com_. 

The deployment guide lists other firewall configurations, IP ranges, and port requirements for Azure Active Directory, Microsoft Intune, Windows Update for Business, and individual Microsoft applications.

Azure Active Directory must have security defaults enabled and not have any user names that conflict with the ones Autopatch needs to use: _MsAdmin_, _MsAdminInt_, and _MsTest_. Azure AD must also be set so that conditional access policies and multifactor authentication aren’t assigned to all users. The point is that Autopatch can’t be required to have multifactor authentication enabled. 

"Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication," Microsoft said.

**How Do I Get Started?**

Customers with Windows Enterprise E3 and E5 licenses will find Tenant Administration in the Microsoft Endpoint Manager administrator center. The option _Tenant enrollment_ in the Windows Autopatch section will begin the process to set up and configure Autopatch.

But first, Microsoft will run the online Readiness assessment tool to check the settings in Microsoft Intune and Azure Active Directory to ensure they are properly configured to work with Windows Autopatch. If issues are found, the administrator must fix them before continuing.

Once everything is ready, the tool will show an _Enroll_ button to kick off the enrollment. During the enrollment process, administrators will be guided to create the policies, groups, and accounts necessary to run Autopatch.

"Once you've enrolled devices into Autopatch, the service does most of the work. But through the Autopatch blade in Microsoft Endpoint Manager, you can fine-tune ring membership, access the service health dashboard, generate reports, and file support requests," Microsoft said.

**What Sysadmins Can’t Do**

*   It would not be possible to schedule the updates to roll out on certain days or times. The decision of when to move to the next ring is also not configurable.
*   Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Currently, there is no support for individual device level control.
*   Windows Autopatch doesn't support managing update ring membership using your Azure AD groups.
*   There is currently no programmatic access via PowerShell to Autopatch

Getting Up and Running with Windows Autopatch

Windows Credential Guard Domain-joined Public Key Elevation of Privilege Vulnerability

CVE-2022-22031

Windows Credential Guard Domain-joined Public Key Elevation of Privilege Vulnerability.

Windows BitLocker Information Disclosure Vulnerability

CVE-2022-22711

Windows BitLocker Information Disclosure Vulnerability.

Windows Kernel Information Disclosure Vulnerability

Tag

#windows