FBI Warns Chrome Users—Stop Downloading These Updates
These updates are dangerous.
Republished on July 26 with new warnings for users of Chrome and other platforms a as the threat of new attacks quickly escalates.
If you use a Windows, it’s likely Chrome is installed as the default browser on your PC. Google’s browser still dominates, despite Microsoft’s continued attempts to push users to the Edge and the new threat from AI browsers which is picking up pace.
But Chrome is a victim of its own success. Because attackers know you likely have it installed, it’s the perfect access point to your PC and your data if they can find a way in. That’s why you see a procession of zero-day warnings and emergency updates. It’s also why the FBI is warning of the critical threat from fake Chrome updates.
So it is with the latest warning from FBI and CISA — America’s cyber defense agency — as part of the “ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.”
The latest advisory issued on Tuesday is aimed at the recent surge in Interlock ransomware attacks. And while most of the advice is for those responsible for securing corporate networks and enforcing IT polices, it carries a warning for PC users as well.
Ransomware attacks need a way in, so called “initial access.” And if you have a PC (or smartphone) connected to your employer’s network, that means you. The advisory also urges organizations to “train users to spot social engineering attempts.”
In the case of Interlock, two such methods of initial entry use the same lures as attackers are using to target your personal accounts and the data and security credentials on your own devices. You should be watching for these anyway.
One of the methods is ClickFix, which is easy to detect. This is where a message or popup instructs you to paste text into a Windows command and then execute that script. It’s done by faking a technical problem or a secure site or file you need to open. Any such instruction is always an attack and must be ignored.
But the primary method of initial entry flagged by the FBI is unofficial Chrome updates. “The fake Google Chrome browser executable functions as a remote access trojan (RAT) designed to execute a PowerShell script that drops a file into the Windows Startup folder. From there, the file is designed to run the RAT every time the victim logs in.”
Fake Chrome installations and updates have become a recurring theme — on Windows PCs and also on Android smartphones. As with ClickFix, the advice is very clear. Do not access updates or fresh installations using links sent in emails or messages. Always download apps and updates from official stores or websites.
Remember that Chrome will automatically download updates and instruct you to restart your browser once that’s done to make sure it installs. You don’t need to hunt these down or follow arbitrary links, however those links are sent to you.
ESET’s Jake Moore warns that “the word ‘update’ is usually synonymous with security but in this instance, it’s quite the opposite. Whilst keeping software up to date is generally best practice, blindly installing updates without verifying their integrity can actually sometimes introduce new risks.”
Using these tactics to compromise user devices and steal enterprise credentials is not the usual method of entry for ransomware. But Interlock is new and was first seen last year, so maybe it’s not surprising it’s using easy to deploy lures surging elsewhere.
In the wake of the FBI’s latest ransomware warning, there’s now some better news courtesy of NCC. “Ransomware attacks,” it says, “fell by almost half in Q2.” But even so, these attacks remain “on the front line of cyber warfare.”
NCC says that “despite a record-breaking start to the year, June was the fourth month in a row in which ransomware attacks dropped globally, declining by 6% with 371 cases. Q2 as a whole experienced a 43% decline from Q1 due to seasonal slowdowns such as Easter and Ramadan, and increased law enforcement disruption of key operators.”
It will be interesting to see whether the current SharePoint attacks exploiting unfixed Microsoft vulnerabilities shift those numbers over the coming weeks. As Microsoft has warned, “we have observed a China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware.”
Unlike the Chrome warning, which applies only to fake updates not the real browser, the SharePoint attacks do exploit genuine versions of the product. “With the rapid adoption of these exploits,” Microsoft says it “assesses with high confidence that threat actors will continue to integrate them into their attacks.”
NCC precipiently notes that “the decline created space for new threat actors to exploit global instability and, looking ahead to Q3, we can expect disrupted groups to return in collaboration with social engineering actors, conducting more advanced attacks.”
Fortunately, avoiding those two traps is just as easy if you know what to look for. Meanwhile, you should update Chrome — the official way — as soon as possible, given Google’s latest set of high-severity fixes also issued on Tuesday.
There is now a new CISA update mandates in effect for federal employees to update or stop using their browsers. The most recent warns users to update by August 12, given the “improper input validation vulnerability in ANGLE and GPU.”
CISA says “this vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page,” and also warns that it affects all browsers built on the Chromium platform, including Microsoft Edge.
The prior CISA Chrome update mandate has only just only expired, on July 23, after America’s c uber defense agency warned that Chrome’s V8 engine “contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page.”
CISA also reiterated the human error dimension of these attacks. In a Friday post, the agency warned that “95% of data breaches are caused by human error. Clicking sketchy links, using weak passwords, or skipping MFA.” Clearly, updating and installing fake Chrome updates are also high on that list.
Moore warns that “Windows users should remain vigilant and until a safe version is released by Google, they should either skip the update or even consider temporarily switching browsers. It is a huge reminder that even trusted giants such as Google can become a threat actor if people aren’t well informed.”
Meanwhile, the SharePoint ransomware warning has triggered even more critical warnings, with unusual 24-hour update mandates to focus the minds of the federal employees who must adhere to the update mandates by law. Given the accelerated nature of those new ransomware attacks, all organizations should do the same.
According to Recorded Future News that CISA “is aware of federal agencies as well as state entities that may be affected by the campaign.”
ESET, meanwhile, “has confirmed Microsoft’s assessment that Chinese government-backed groups are seizing on the bug and the company’s telemetry showed ‘the victims of the ToolShell attacks include several high-value government organizations that have been long-standing targets of these groups’.”
As for Chrome and the very real ransomware threat flagged by the FBI, ESET’s Moore says “IT teams should think about temporarily disabling automatic Chrome updates on managed devices in case of unknowingly adding extra threats to their networks plus they should monitor for any anomalies in case they have automatically moved across to this version. Staying informed is extremely valuable and it remains vital that users should always verify the source and content of updates.”