The Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed two vulnerabilities on its Known Exploited Vulnerabilities (KEV) catalog, bugs that federal agencies must patch by Jan. 23.
The first bug — CVE-2023-7101 — is an open-source Perl library for reading information in a Microsoft Excel file called Spreadsheet::ParseExcel. It’s a general-purpose library that lets data import/export operations on Excel files, as well as run analysis and automation scripts.
The second bug — CVE-2023-7024 — was widely reported at the end of the year as a critical zero-day flaw (the eighth of 2023) that affects Google Chrome and other Chromium-based browsers such as Microsoft Edge and Opera. The flaw can let malicious attackers compromise the WebRTC component, which is used for real-time communication like video calls.
Ken Dunham, cyber threat director at the Qualys Threat Research Unit, explained that the Excel bug grabbed the attention of security researchers because unsubstantiated open-source intelligence revealed that a weaponized Microsoft Excel spreadsheet was used as part of a sophisticated Chinese campaign to perform exploitation, as part of ongoing adaptation and maturation of TTPs for the actor group Mandiant calls UNC4841.
Dunham said while there’s limited disclosure for exploitation in the wild related to CVE-2023-7101, UNC4841, a Chinese-nexus threat group, has a history of targeting Barracuda Networks and international governments and high-value targets, now reportedly with the most recently disclosed CVE-2023-7101 vulnerability.
“Successful exploitation is quickly followed with deployment of malicious payloads such as SEASPY and SALWATER and customized malware shortly thereafter,” said Dunham. “Once persistence and reconnaissance are secured by the actor group, they may attempt to move laterally to land and expand as they further exploitation against targets. The sheer fact that CVE-2023-7101 made it into the CISA KEV catalog without yet having a CVSS score shows that the bug is significant in terms of its exploitability."
John Bambenek, president at Bambenek Consulting, pointed out that Perl is an older programming language commonly used for text manipulation. As such, it became a staple in spam filtering software a couple decades ago and remains core there today, though the language has generally fallen out of favor with developers.
Bambenek said what makes this vulnerability particularly interesting is that the threat actor behind last month’s exploitation went way off the beaten path to find a vulnerability that allowed for remote code execution in spam filtering software that made phishing attacks self-executing at the email gateway level and, thus, much more effective and impactful.
“This demonstrates sophisticated actors are looking at often overlooked aspects of our tech stack to find weaknesses in tools and libraries we may have completely forgotten about,” said Bambenek.
Eighth zero-day for Google's Chrome browser for 2023
On the Google zero-day, Ashley Leonard, chief executive officer at Syxsense, said Google acknowledged how critical this vulnerability was by releasing the discovery and disclosure on Dec. 20, just one day after the Google Threat Analysis Group discovered the vulnerability. Leonard said Google also publicly stated that they were aware of in-the-wild exploits, while urging users to update their browsers to the latest version.
“Without updating, there’s no other easy mitigation to defend against the attack,” said Leonard. "In terms of broader significance, it was the eighth Chrome zero-day of 2023. We believe this highlights the increasing frequency of critical vulnerabilities in Chrome, which isn’t surprising when you consider how widely used these products are, but also indicates a potential need for stronger DevSecOps and security measures.”