Government Alerts Chrome Users: Avoid Installing These Updates

Government Alerts Chrome Users: Avoid Installing These Updates

A new warning has been issued by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) regarding a sophisticated threat involving fake Google Chrome update prompts used by the Interlock ransomware group and other cybercriminals to compromise PCs.

The fake Chrome updates are not legitimate but malicious executables functioning as remote access trojans (RATs) that execute PowerShell scripts. These scripts install persistent malware by dropping files into the Windows Startup folder or modifying Windows Registry keys, ensuring the malware runs every time the user logs in.

Once installed, the RATs enable attackers to establish remote control over the compromised systems. They use various tools like Cobalt Strike, SystemBC, Interlock RAT4F, and NodeSnake RAT for command and control. The attacks also involve deploying additional payloads such as credential stealers, which harvest login details and URLs for the victim’s online accounts, and keyloggers that record keystrokes, capturing potentially sensitive information like passwords.

In addition to fake Chrome updates, cybercriminals have employed fake Google Chrome websites to spread malware like ValleyRAT through techniques such as DLL hijacking, further increasing risk to users who might inadvertently download these malicious updates or visit counterfeit sites posing as official Chrome download pages.

The FBI and CISA emphasize that these fraudulent updates are a vehicle for reconnaissance too: the malware runs PowerShell commands to collect detailed system information, such as current user identity, running services, system configuration, and network settings, aiding attackers in tailoring subsequent operations on the compromised devices.

Microsoft has also warned of a China-based threat actor, Storm-2603, exploiting vulnerabilities in SharePoint to deploy ransomware. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page, affecting all browsers built on the Chromium platform, including Microsoft Edge.

In light of these threats, ESET's Jake Moore advises IT teams to temporarily disable automatic Chrome updates on managed devices and monitor for any anomalies in case of unknowingly adding extra threats to their networks. Users are also advised to avoid downloading browser updates from unsolicited prompts or unverified sources and instead update Chrome and other browsers only through official vendor channels.

This represents a critical cybersecurity risk for PC users, urging vigilance against unsolicited update prompts and emphasizing official software update practices. The latest advisory is aimed at the surge in Interlock ransomware attacks, and the exploits of these vulnerabilities could potentially continue to be integrated into attacks by threat actors.

References:

1. https://www.bleepingcomputer.com/news/security/interlock-ransomware-group-using-fake-chrome-update-prompts-to-compromise-pc-users/
2. https://www.bleepingcomputer.com/news/security/fake-chrome-download-pages-spread-malware-on-windows-and-android/
3. https://www.bleepingcomputer.com/news/security/new-cisa-alert-warns-of-fake-chrome-update-prompts-used-by-interlock-ransomware-group/
4. https://www.bleepingcomputer.com/news/security/microsoft-warns-of-storm-2603-chinese-threat-actor-exploiting-sharepoint-vulnerabilities/
5. https://www.bleepingcomputer.com/news/security/new-cisa-update-mandates-federal-employees-to-update-or-stop-using-their-browsers-by-august-12/
6. The current threat landscape involves an FBI and CISA warning about a sophisticated attack, where Interlock ransomware group, among other cybercriminals, use fake Google Chrome update prompts to infiltrate PCs, installing malware and enabling remote access.
7. In cyberspace, data-and-cloud-computing technology, such as Google Chrome and Microsoft Edge, have become targets for malicious actors exploiting vulnerabilities, like the one recently uncovered by Microsoft regarding SharePoint.
8. As cybersecurity continues to evolve into general-news, crime-and-justice realms, experts advise IT teams to exercise caution with Chrome updates, especially when encountered unexpectedly. IT teams are recommended to temporarily disable automatic updates and administer the updates manually after verification.

Read also: