The threat:
On October 31, 2019, Google released security updates for the Chrome browser to mitigate an actively exploited zero-day vulnerability [1]. CVE-2019-13720 is a use-after-free vulnerability in the Chrome audio component. If exploited, use-after-free vulnerabilities may allow for various multiple malicious actions. Due to the reports of active exploitation of CVE-2019-13720, users are recommended to upgrade to the most recent version of Chrome as soon as possible.
What we’re doing about it:
- The eSentire Threat Intelligence Team is actively monitoring this topic for emerging details.
- Known IoCs have been checked against esENDPOINT clients and monitoring is ongoing.
- MVS (formerly esRECON) is in the process of releasing plugins to identify this vulnerability
- Plugins are expected to be leveraged in scans starting between Saturday, November 2, and Sunday, November 3, 2019
What you should do about it:
- Update to version 78.0.3904.87 of the Chrome browser
-
- It should be noted that even if auto-update is enabled, users need to exit and re-open Chrome for the update to be applied
- Chrome updates for Windows can be pushed by system administrators through the Group Policy Management Editor [2]
Additional information:
Details on CVE-2019-13720 remain minimal as Google is holding onto information until users have time to update. Kaspersky identified the zero-day vulnerability and has released some additional details regarding attacks in the wild [3].
A second vulnerability, CVE-2019-13721, was also fixed in the most recent release of Chrome. CVE-2019-13721 is also a use-after-free vulnerability but there are currently no reports of exploitation in the wild.
Indicators of compromise [3]:
- behindcorona[.]com
- code.jquery.cdn.behindcorona[.]com
- 8f3cd9299b2f241daf1f5057ba0b9054
- 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd
- 27e941683d09a7405a9e806cc7d156c9
- 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48
- f614909fbd57ece81d00b01958338ec2
- cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb
- kennethosborne@protonmail[.]com
References:
[1] https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html
[2] https://support.google.com/chrome/a/answer/6350036?hl=en
[3] https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/
