Search This Blog

Showing posts with label Browser. Show all posts

OnionPoison: Malicious Tor Browser Installer Distributed through YouTube Video

 

Researchers at Kaspersky have detected a trojanized version of the Window installer for the Tor Browser, that is being distributed through a popular Chinese YouTube channel. 
 
The malware campaign, dubbed OnionPoison allegedly reaches internet users through the Chinese-language YouTube video. The video is providing users with information on ‘staying anonymous online.’ 
 
The threat actors attach a malicious URL link to the official Tor website, below the YouTube video. Additionally, adding another link to a cloud-sharing service hosting an installer for Tor was modified to include malicious code.  
 
The YouTube Channel has more than 180,000 subscribers, with the video being on top result for the YouTube query ‘Tor浏览器’ translating to “Tor Browser.” The video, posted on January 2022 had more than 64,000 views at the time of discovery (March 2022), reported Kaspersky. The malware installs a malicious Tor Browser that is structured to expose user data that involves a list of installed software, browsing history, and data the users may have entered in a website form. The researchers also found that the library bundled with Tor Browser is infected with spyware. 
 
“More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it [...] We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser.” reads the analysis conducted by Kaspersky. 
 
It is worth mentioning that the Tor browser is banned in China on account of China's extensive internet censorship. As a result, users often access the browser through third-party websites for downloading it. Hence, the users are most likely to be exposed to scams and be deceived into downloading the malicious installer.  
 
It is believed that the intention of the OnionPoison campaign may not be financially motivated as the threat actors did not recover any credentials or wallets.  
 
In regard to this, the researchers are warning China-based users and companies to avoid using third-party websites for downloading software to prevent becoming targets of threat actors.  
 

Kimsuky Makes E-Mails Hacking Browser Extensions

A hacking group that is believed to work from North Korea is loading harmful browser extensions for Edge and Chrome. It tries to steal email info from open AOL and Gmail sessions and interchange browser preference files. 

About SHARPEXT

Volexity experts found the malicious extension, known as SHARPEXT, it is active for almost a year by Kimsuky (aka SharpTongue). It uses the extension after the attack has been launched, for keeping its presence. 

"SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset was published by Huntress in 2021. The list of tools and techniques described in that post is consistent with what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an interesting, undocumented malware family used by SharpTongue," reports Volexity.

Kimsuky's Attack

Unlike other harmful browser extensions, SHARPEXT isn't made for stealing user credentials. On the contrary, the extension steals information from the e-mail inboxes of the victims.

The hackers deploy the extension manually via a VBS script once the initial breach of the victim system has been done. 

How SHARPEXT is installed

To install SHARPEXT, the hackers replace the Preferences and Secure Preferences files, for the aimed Chromium-based browser, which is generally said to be a difficult task to execute. 

• To interchange the Secure Preferences file, the hackers obtain some details from the browser and make a new file running on browser start-up.

• After that, the attackers use a secondary script to conceal some of the extension's features and any other windows that can surface and alarm the users about suspicious activities. 

• Lastly, the extension uses a pair of listeners for a particular type of activity in the browser tabs. Installation is then modified for different respective targets. 

Volexity says "the purpose of the tabs listeners is to change the window title of the active tab in order to add the keyword used by dev.ps1, the PowerShell script described previously. The code appends the keyword to the existing title (“05101190” or “Tab+”, depending on the version). The keyword is removed when DevTools is enabled on the tab." 












Google Delays Phasing Out Ad Cookies on Chrome Until 2024

 

Google announced on Wednesday that it is postponing its plans to disable third-party cookies in the Chrome web browser from late 2023 to the second half of 2024. 

"The most consistent feedback we've received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome," Anthony Chavez, vice president of Privacy Sandbox, stated. 

Keeping this in mind, the internet and ad tech behemoth announced a "deliberate approach" to extending the testing window for its continuing Privacy Sandbox activities before phasing out third-party cookies. Cookies are packets of data that a web browser places on a user's computer or another device when they visit a website, with third-party cookies powering much of the digital advertising ecosystem and its capacity to follow users across other sites to serve tailored adverts. 

Google's Privacy Sandbox is an umbrella phrase for a collection of technologies aimed at improving consumers' privacy across the web and Android by limiting cross-site and cross-app tracking and offering improved, safer alternatives to serve interest-based ads. While Google had intended to launch the functionality in early 2022, it altered the timeframe in June 2021, proposing to phase away third-party cookies over a three-month period beginning in mid-2023 and concluding in late 2023. 

"It's become clear that more time is needed across the ecosystem to get this right," the company noted at the time. 

The second extension comes after Google introduced Topics API in January 2022 as a successor for FLoC (short for Federated Learning of Cohorts), followed by a developer preview of Privacy Sandbox for Android in May. 

In February 2022, the UK Competition and Markets Authority (CMA) formally accepted Google's commitments on how it develops the technology, emphasising the need to flesh out Privacy Sandbox so that it promotes competition and helps publishers increase ad revenue while also protecting consumer privacy. According to the revised plan, Privacy Sandbox trials will be opened to users worldwide next month, with the number of people participating in the testing increasing during the remainder of the year and into 2023. 

Google also stated that users will be prompted to control their participation and that the APIs will be broadly accessible by Q3 2023, with third-party cookie support expected to be phased off in H2 2024. For its part, the CMA confirmed that it is aware of "alternative approaches being created by third parties" and that it is "working with the [Information Commissioner's Office] to better assess their feasibility and possible implications.

Tor Browser 11.5 Adds Censorship Detection & Circumvention

 

Tor Project's flagship anonymizing browser has been upgraded to make it simpler for users to avoid government attempts to prohibit its usage in various locations. According to the non-profit organisation that controls the open source software, Tor Browser 11.5 would change the user experience of connecting to Tor from strongly censored locations. 

It replaces a "manual and confusing procedure" in which users have to maintain their own Tor Network settings to figure out how to utilise a bridge to unblock Tor in their location. Because various bridge settings may be required in different countries, the Tor Project stated that the manual effort placed an undue hardship on restricted users. 

Connection Assist is its answer, and it will automatically apply the bridge configuration that should perform best in a user's exact location. China, Russia, Belarus, and Turkmenistan are among the countries that have blocked the Tor Network. Volunteers from these and other impacted nations are encouraged to apply to be alpha testers so that their feedback may be shared with the community. 

The Tor Project has revised its Tor Network settings to improve the user experience for people who still want to manually configure their software. There is also a new HTTPS-only default option for users, which protects consumers by encrypting communication between their system and the web servers it communicates with. 

“This change will help protect our users from SSL stripping attacks by malicious exit relays, and strongly reduces the incentive to spin up exit relays for man-in-the-middle attacks in the first place,” it stated. 

Although the Tor Browser is often linked with illicit black web browsing, it is also a useful tool for activists, journalists, dissidents, and NGO workers working under harsh government regimes.

Due to Security Reasons, Chrome will Limit Access to Private Networks

 

Google has announced that its Chrome browser will soon ban websites from querying and interacting with devices and servers inside local private networks, due to security concerns and past abuse from malware. 

The transition will occur as a result of the deployment of a new W3C specification known as Private Network Access (PNA), which will be released in the first half of the year. The new PNA specification introduces a feature to the Chrome browser that allows websites to request permission from computers on local networks before creating a connection.

“Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true,” as perEiji Kitamura and Titouan Rigoudy, Google. 

Internet websites will be prohibited from connecting if local hardware such as servers or routers fails to respond. One of the most important security features incorporated into Chrome in recent years is the new PNA specification. 

Cybercriminals have known since the early 2010s that they can utilize browsers as a "proxy" to relay connections to a company's internal network. For example, malicious code on a website could attempt to reach an IP address such as 192.168.0.1, which is the standard address for most router administrative panels and is only reachable from a local network. 

When users visit a fraudulent site like this, their browser can issue an automatic request to their network without their permission, transmitting malicious code that can evade router authentication and change router settings. 

These types of attacks aren't simply theoretical; they've happened previously, as evidenced by the examples provided here and here. Other local systems, such as internal servers, domain controllers, firewalls, or even locally-hosted apps (through the http://localhost domain or other locally-defined domains), could be targeted by variations of these internet-to-local network attacks. Google aims to prevent such automated attacks by incorporating the PNA specification into Chrome and its permission negotiation system. 

According to Google, PNA was included in Chrome 96, which was published in November 2021, but complete support will be available in two parts this year, with Chrome 98 (early March) and Chrome 101 (late May).

Chrome Blocks Port 10080 to Prevent Slipstreaming Hacks

Google Chrome has blocked HTTPS, FTP, and HTTP access to TCP (transmission control protocol) port 10080 to protect ports getting exploited from NAT Slipstreaming 2.0 attacks. In 2020, cybersecurity expert Samy Kamkar revealed a new variant of the NAT Slipstreaming vulnerability that lets scripts on illicit websites avoid a user's NAT firewall and hack into any UDP/TCP port on the target's internal network. By exploiting these vulnerabilities, hackers can deploy a variety of attacks, these include modification of router configurations and hacking into private network services. 

"NAT Slipstreaming was discovered by security researcher Samy Kamkar and it requires the victims to visit the threat actor's malicious website (or a site with maliciously crafted ads). To expose hosted services, the attack abuses certain NAT devices scanning port 5060 to create port forwarding rules when detecting maliciously-crafted HTTP requests camouflaged as valid SIP requests," reported Bleeping Computers in 2019. The flaw only works on selected ports configured by a router's ALG (Application Level Gateway), ports that don't receive much traffic are being blocked by browser developers. 

As of now, Chrome has blocked HTTPS, HTTP, and FTP access on ports 1719, 1720, 1723, 5060, 5061, 69, 137, 161, and 554. Recently, Google said that it is considering blocking TCP port 10080 in Chrome. Firefox had blocked TCP port 10080 already in November last year. But the most worrisome aspect relating to 10080 is may developers may start using it as a replacement to port 80. They may find it useful as the port ends in '80' which makes it attractive. Besides this, the port doesn't require root privileges for binding into Unix systems, said Adam Rice, developer at Google Chrome. 

For developers that want to continue using this post, Mr. Rice will add an enterprise policy that will allow the developers to use the port by overriding the block. If a port is blocked, the user is displayed a "ERR_UNSAFE_PORT" error message while trying to gain access to the port. "If you are currently hosting a website on port 10080, you may want to consider using a different port to allow Google Chrome to continue accessing the site," said Bleeping computer.

New Method to Perform XS-Leak Side Channel Attacks Disclosed

 

Luan Herrera, a cybersecurity expert committed to vulnerability reporting, detailed another approach to performing a side-channel assault variant known as XS-Leak abusing redirect hops to trigger a cross-site leak condition. Herrera's research centers around the XS-Leaks group of side-channel assaults, equipped for abusing a browser to extricate conceivably sensitive data into the exposed system, including administrator credentials. XS-Leak assault strategies depend on measuring network reaction time to gather information about site visitors by abusing communication channels that permit sites to communicate with one another to recreate a client's or system's profile. 

The documents mention a "novel technique" for abusing a limitation in the Fetch specification, a way that permits sites to call resources: “A limit of 20 redirect hops is set before a network error message appears; because of this limit, threat actors could count the number of redirect hops that occur in a cross-origin redirect by activating the redirect before reaching the victim’s endpoint, measuring network responses, and partially exposing the size of the URL list,” the report says. 

The expert additionally detailed a few different ways to detect and forestall these cross-redirects that can prompt a side-channel assault, including the utilization of SameSite cookies, COOP and frame protections. Google is likewise aware of this issue, so measures such as confining some chrome-accessible websites have just been announced to reduce the amount of data exposed in a potential side-channel assault. 

Herrera concurs that this assault can be forestalled in the same way that similar assault variations are forestalled, although he believes that a holistic perspective on the issue is required: “A comprehensive view of the problem is still being discussed on GitHub about whether it is possible to change the Fetch specification and the limit value in order to prevent the appearance of these attack variants,” adds the researcher. 

The report also incorporates the results of a challenge to deploy an XSS assault utilizing JavaScript code. A Google security expert known as "terjanq" also directed an investigation concerning the XS-Leak family of assaults, describing the launch of a cache polling assault against a small group of Google products, which could deploy a leak of sensitive data.

Firefox Web Browser Launching Its Own Paid VPN Service



The Firefox Private Network service launched in beta just the previous year as a browser extension for desktop versions of the Firefox web browser is all set to be renamed as Mozilla VPN.

According to a blog post, Mozilla VPN will move out of the beta and be available as a standalone service later this year with select regions, which will include the United States.

The VPN will be accessible for $4.99 every month and the user will have the option to utilize around five devices with a similar account. Mozilla specifies this pricing is just temporary yet has not clarified whether the price will be increased or new plans introduced for fewer devices.

Mozilla VPN will be launched as a standalone and system-wide VPN service for Android, iOS, Windows, ChromeOS, macOS, and Linux platforms throughout the next few weeks.

While the Android, iOS, Windows, and Chromebook clients will be available at first, Mozilla is likewise chipping away at Mac and Linux clients which have additionally been requested by the beta testers.

Mozilla, as opposed to other web browser makers like Opera, isn't offering the service for nothing. They claim that a paid service will permit the organization to continue offering the service without benefiting from users’ data.

The service, in its current form as Firefox Private Network, is fuelled by Mullvad VPN and has servers in excess of 30 nations. It runs on the WireGuard standard that offers more privacy and better execution when contrasted with customary standards like OpenVPN being another protocol; it may not be as steady as the 'legacy' ones.

In the event that the user wishes to be a part of the beta testing or express interest for the service to be accessible in their region, they can join the waitlist by signing up the official website of the Firefox Private Network VPN and they will be notified whenever Firefox Private Network is accessible for their device and region.

The link of which is provided below: https://fpn.firefox.com/vpn/invite