The threat:

On October 31, 2019, Google released security updates for the Chrome browser to mitigate an actively exploited zero-day vulnerability [1]. CVE-2019-13720 is a use-after-free vulnerability in the Chrome audio component. If exploited, use-after-free vulnerabilities may allow for various multiple malicious actions. Due to the reports of active exploitation of CVE-2019-13720, users are recommended to upgrade to the most recent version of Chrome as soon as possible. 

What we’re doing about it:

  • The eSentire Threat Intelligence Team is actively monitoring this topic for emerging details.
  • Known IoCs have been checked against esENPOINT clients and monitoring is ongoing.
  • MVS (formerly esRECON) is in the process of releasing plugins to identify this vulnerability
  • Plugins are expected to be leveraged in scans starting between Saturday, November 2, and Sunday, November 3, 2019

 What you should do about it:

  • Update to version 78.0.3904.87 of the Chrome browser
    • It should be noted that even if auto-update is enabled, users need to exit and re-open Chrome for the update to be applied 
    • Chrome updates for Windows can be pushed by system administrators through the Group Policy Management Editor [2]

 Additional information:

Details on CVE-2019-13720 remain minimal as Google is holding onto information until users have time to update. Kaspersky identified the zero-day vulnerability and has released some additional details regarding attacks in the wild [3].

A second vulnerability, CVE-2019-13721, was also fixed in the most recent release of Chrome. CVE-2019-13721 is also a use-after-free vulnerability but there are currently no reports of exploitation in the wild.

 Indicators of compromise [3]:

  • behindcorona[.]com
  • code.jquery.cdn.behindcorona[.]com
  • 8f3cd9299b2f241daf1f5057ba0b9054
  • 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd
  • 27e941683d09a7405a9e806cc7d156c9
  • 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48
  • f614909fbd57ece81d00b01958338ec2
  • cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb
  • [email protected][.]com

References:

[1] https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html

[2] https://support.google.com/chrome/a/answer/6350036?hl=en

[3] https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.