Search This Blog

Showing posts with label Chrome. Show all posts

Google Blames Spanish Spyware of Exploiting Chrome, Windows, and Firefox Zero-Days


Variston IT Spyware behind an attack on Google

A surveillance vendor from Barcelona called Variston IT is believed to deploy spyware on victim devices by compromising various zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of these go back to December 2018. 

Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said "their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device." 

Variston has a bare-bones website, it claims to provide tailor-made security solutions to its customers, it also makes custom security patches for various types of proprietary systems and assists in the discovery of digital information by law enforcement agencies, besides other services.

Google's Response 

Google said "the growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry."

The vulnerabilities, which have been fixed by Google, Microsoft, and Mozilla in 2021 and early 2022, are said to have been used as zero-days to help customers deploy whichever malware they want to, on targeted systems. 

What is Heliconia vulnerability?

Heliconia consists of three components called Noise, Files, and Soft, each of these is responsible for installing exploits against vulnerabilities in Windows, Firefox, and Chrome, respectively. 

Noise is designed to exploit a security flaw in the Chrome V8 engine JavaScript that was fixed last year in August 2021, along with an unknown sandbox escape method known as "chrome-sbx-gen" to allow the final payload (also called an agent) to be deployed on select devices.  

But the attack works only when the victim accesses a malicious webpage intended to trap the user, and then trigger the first-stage exploit. 

Google says it came to know about the Heliconia attack framework after it got an anonymous submission in its Chrome bug reporting program. It further said that currently there's no proof of exploitation, after hinting the toolset has shut down or evolved further. 

Google blog said

Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0 days before they were fixed.

Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape

Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit

Files: a set of Firefox exploits for Linux and Windows.






SolarMarker Using Watering Hole Attacks and Fake Chrome Browser Updates, Infects Business Professionals

 

Researchers have uncovered the cyberattack group behind the SolarMarker malware, which is targeting a global tax consulting firm with offices in the United States, Canada, the United Kingdom, and Europe. It is using fake Chrome browser updates as part of watering hole attacks. This is a fresh approach for the group, replacing its previous method of SEO poisoning, also known as spamdexing. 

SolarMarker is a multistage malware that can steal autofill data, saved passwords, and credit card information from victims' browsers. According to an advisory issued on Friday by eSentire's Threat Response Unit (TRU), the threat group was observed exploiting vulnerabilities in a medical equipment manufacturer's website, which was built with the popular open-source content management system WordPress. The victim worked for a tax consulting firm and used Google to look up the manufacturer's name.

"This tricked the employee into downloading and executing SolarMarker, which was disguised as a Chrome update," the advisory noted.

"The fake browser update overlay design is based on what browser the victim is utilizing while visiting the infected website," the advisory added. "Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page."

Considering that the TRU team has only witnessed a single infection of this vector type, it is unclear whether the SolarMarker group is testing new tactics or preparing for a larger campaign. Previous SolarMarker attacks used SEO poisoning to target people who searched online for free templates of popular business documents and business forms.

Increase Employee Awareness by Monitoring Endpoints

The TRU advisory outlines four key steps organisations can take to mitigate the impact of these types of attacks, including increasing employee awareness of automatic browser updates and avoiding downloading files from unknown sites.
 
"Threat actors research the kind of documents businesses look for and try to get in front of them with SEO," the advisory stated. "Only use trusted sources when downloading content from the internet, and avoid free and bundled software."

TRU also recommends more vigilant endpoint monitoring, which will necessitate more frequent rule updates to detect the latest campaigns, as well as enhanced threat-landscape monitoring to strengthen the organization's overall defence posture.

SolarMarker Campaigns Relaunched Following a Dormant Period

The.NET malware was discovered in 2020 and is typically distributed via a PowerShell installer, with data-gathering capabilities and a backdoor.

Sophos Labs discovered a number of active SolarMarker campaigns in October 2021 that followed a common pattern: cybercriminals used SEO techniques to place links to websites with Trojanized content in the search results of several search engines.

Menlo Security previously reported a SolarMarker campaign in October 2021 that used over 2,000 unique search terms to lure users to sites that then dropped malicious PDFs rigged with backdoors.

ChromeLoader: Microsoft, VMware Warns of the New Malware Campaigns

 

Microsoft and VMware are warning about the ongoing widespread malware campaign of ChromeLoader, which led to an “ongoing wide-ranging click frauds” later this year. 

The malware tool named ChromeLoader is apparently hijacking the browsers to redirect users to ad pages. The software has now evolved into a potential threat by deploying more potent payloads that go beyond malvertising. Variants of ChromeLoader have been dropping malicious browser extensions, node WebKit malware, and even ransomware on Windows PCs and Macs. 

Functioning of ChromeLoader 

Microsoft detected an ongoing widespread campaign of click frauds and attributed it to a threat actor DEV-0796. The malware attack begins with an ISO file that is downloaded when the user clicks a malicious ad, browser redirects, or Youtube comment. The attackers seek to profit from clicks generated by malicious browser extensions or node-WebKit that they have installed on the victim’s device, without being detected.  

The researchers from VMware’s Carbon Black Managed Detection and Response (MDR) team said they have seen the malware’s operators impersonating various legitimate services that would lead users to ChromeLoader. The researchers observed hundreds of attacks that included variants of the malware, targeting multiples sectors such as education, government, healthcare, and enterprises in business services. 

“This campaign has gone through many changes over the past few months, and we don’t expect it to stop [...] It is imperative that these industries take note of the prevalence of this threat and prepare to respond to it” warns the researchers. 

Rapid Evolution Of Malware

Earlier, the malware infected Chrome with a malicious extension that redirected the user traffic to advertising sites performing click frauds and generating income for the threat actors. “But, it later evolved into an ‘info-stealer’, stealing sensitive data stored in browsers and deploying zip bombs (i.e. malicious archive files) to crash systems, while still retaining its adware function,” said researchers, in an advisory released on September 19. 

Since Adware does not cause any significant damage to a victim’s software, the threat is not taken seriously by analysts. However, any software, such as ChromeLoader, that could enter a system undetected, is an immediate threat to a user, as the victim may as well apply modifications, facilitating monetization options for the malware. 

“The Carbon Black MDR team believes that this is an emerging threat that needs to be tracked and taken seriously [...] due to its potential for delivering more nefarious malware,” VMware said in the advisory. 

Researchers Discover Kimusky Infra Targeting South Korean Politicians and Diplomats

 

Kimusky, a North Korean nation-state group, has been linked to a new wave of nefarious activities targeting political and diplomatic entities in its southern counterpart in early 2022. 

The cluster was codenamed GoldDragon by Russian cybersecurity firm Kaspersky, with infection chains resulting to the implementation of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials. South Korean university professors, think tank researchers, and government officials are among the potential victims. 

Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gather intelligence on various topics of interest to the regime.

The group, which has been active since 2012, has a history of using social engineering tactics, spear-phishing, and watering hole attacks to obtain sensitive information from victims.

Late last month, cybersecurity firm Volexity linked the actor to an intelligence-gathering mission aimed at siphon email content from Gmail and AOL using Sharpext, a malicious Chrome browser extension.

The latest campaign employs a similar tactic, with the attack sequence initiated by spear-phishing messages containing macro-embedded Microsoft Word documents supposedly comprising content related to geopolitical issues in the region. Alternative initial access routes are also said to use HTML Application (HTA) and Compiled HTML Help (CHM) files as decoys in order to compromise the system.

Whatever method is used, the initial access is followed by a remote server dropping a Visual Basic Script that is orchestrated to fingerprint the machine and retrieve additional payloads, including an executable capable of exfiltrating sensitive information.

The attack is unique in that it sends the victim's email address to the command-and-control (C2) server if the recipient clicks on a link in the email to download additional documents. If the request does not include the expected email address, a harmless document is returned.

To complicate matters even further, the first-stage C2 server forwards the victim's IP address to another VBS server, which compares it to an incoming request generated after the target opens the bait document. The two C2 servers' "victim verification methodology" ensures that the VBScript is distributed only when the IP address checks are successful, indicating a highly targeted approach.

"The Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. The main difficulty in tracking this group is that it's tough to acquire a full-infection chain," Kaspersky researcher Seongsu Park concluded.

New Google Chrome Zero-Day Flaw Being Exploited in the Wild

 

Google launched patches for the Chrome browser for desktops on Tuesday that address an actively exploited high-severity zero-day flaw in the wild. The issue, identified as CVE-2022-2856, has been described as a case of insufficient validation of untrusted input in Intents. 

On July 19, 2022, security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group were credited with discovering the flaw. As is customary, the tech powerhouse has withheld further details about the flaw until the vast majority of users have been informed. 

"Google is aware that an exploit for CVE-2022-2856 exists in the wild," the company said aptly.

The latest update also addresses ten other security flaws, the majority of which are related to use-after-free flaws in various components such as FedCM, SwiftShader, ANGLE, and Blink. A heap buffer overflow vulnerability in Downloads has also been fixed.

This is the fifth zero-day vulnerability in Chrome that Google has fixed since the beginning of the year.
  • CVE-2022-0609 - Use-after-free in Animation
  • CVE-2022-1096 - Type confusion in V8
  • CVE-2022-1364 - Type confusion in V8
  • CVE-2022-2294 - Heap buffer overflow in WebRTC
To mitigate potential threats, users are advised to update to version 104.0.5112.101 for macOS and Linux, and 104.0.5112.102/101 for Windows. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the fixes as they become available.

Kimsuky Makes E-Mails Hacking Browser Extensions

A hacking group that is believed to work from North Korea is loading harmful browser extensions for Edge and Chrome. It tries to steal email info from open AOL and Gmail sessions and interchange browser preference files. 

About SHARPEXT

Volexity experts found the malicious extension, known as SHARPEXT, it is active for almost a year by Kimsuky (aka SharpTongue). It uses the extension after the attack has been launched, for keeping its presence. 

"SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset was published by Huntress in 2021. The list of tools and techniques described in that post is consistent with what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an interesting, undocumented malware family used by SharpTongue," reports Volexity.

Kimsuky's Attack

Unlike other harmful browser extensions, SHARPEXT isn't made for stealing user credentials. On the contrary, the extension steals information from the e-mail inboxes of the victims.

The hackers deploy the extension manually via a VBS script once the initial breach of the victim system has been done. 

How SHARPEXT is installed

To install SHARPEXT, the hackers replace the Preferences and Secure Preferences files, for the aimed Chromium-based browser, which is generally said to be a difficult task to execute. 

• To interchange the Secure Preferences file, the hackers obtain some details from the browser and make a new file running on browser start-up.

• After that, the attackers use a secondary script to conceal some of the extension's features and any other windows that can surface and alarm the users about suspicious activities. 

• Lastly, the extension uses a pair of listeners for a particular type of activity in the browser tabs. Installation is then modified for different respective targets. 

Volexity says "the purpose of the tabs listeners is to change the window title of the active tab in order to add the keyword used by dev.ps1, the PowerShell script described previously. The code appends the keyword to the existing title (“05101190” or “Tab+”, depending on the version). The keyword is removed when DevTools is enabled on the tab." 












V8 Type Confusion Vulnerability Hits Google Chrome & Microsoft Edge Browser

 

Following the discovery of a V8 vulnerability in Chrome and Edge that has been exploited in the wild, ZDNet recommends that users running Windows, macOS, or Linux update their Chrome builds to version 99.0.4844.84, as an out-of-band security update was recently released by Google to address the issue. 

Concerning the V8 Vulnerability:

There isn't much information available about this recently discovered vulnerability, as Google stated that it will wait for the bulk of users to update their browsers before acting. As per Google, “Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.” 

What is known is that the bug in question has been assigned CVE-2022-1096, which is a zero-day "type confusion in V8" bug and was reported on March 23, 2022, by an "anonymous" researcher. V8 is a JavaScript engine that is completely free and open-source. The Chromium Project created it for Google Chrome and Chromium web browsers. 

Lars Bak is the person who came up with the idea for the project. It's worth noting that the first version of Firefox was released in 2008, almost simultaneously with the initial version of Chrome. Because the V8 vulnerability affected Edge as well, Microsoft Office issued a statement on the subject, stating that the issue had been resolved in Edge version 99.0.1150.55. 

Microsoft’s notice reads, “The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.”

Due to Security Reasons, Chrome will Limit Access to Private Networks

 

Google has announced that its Chrome browser will soon ban websites from querying and interacting with devices and servers inside local private networks, due to security concerns and past abuse from malware. 

The transition will occur as a result of the deployment of a new W3C specification known as Private Network Access (PNA), which will be released in the first half of the year. The new PNA specification introduces a feature to the Chrome browser that allows websites to request permission from computers on local networks before creating a connection.

“Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true,” as perEiji Kitamura and Titouan Rigoudy, Google. 

Internet websites will be prohibited from connecting if local hardware such as servers or routers fails to respond. One of the most important security features incorporated into Chrome in recent years is the new PNA specification. 

Cybercriminals have known since the early 2010s that they can utilize browsers as a "proxy" to relay connections to a company's internal network. For example, malicious code on a website could attempt to reach an IP address such as 192.168.0.1, which is the standard address for most router administrative panels and is only reachable from a local network. 

When users visit a fraudulent site like this, their browser can issue an automatic request to their network without their permission, transmitting malicious code that can evade router authentication and change router settings. 

These types of attacks aren't simply theoretical; they've happened previously, as evidenced by the examples provided here and here. Other local systems, such as internal servers, domain controllers, firewalls, or even locally-hosted apps (through the http://localhost domain or other locally-defined domains), could be targeted by variations of these internet-to-local network attacks. Google aims to prevent such automated attacks by incorporating the PNA specification into Chrome and its permission negotiation system. 

According to Google, PNA was included in Chrome 96, which was published in November 2021, but complete support will be available in two parts this year, with Chrome 98 (early March) and Chrome 101 (late May).

Threat Actors Exploit Chrome to Deliver Malware as Windows 10 App

 

Hackers that launched a recently discovered malware campaign are attacking Windows 10 with a malware which could infect systems with a process which evades Windows cybersecurity protections known as User Account Control (UAC). "Researchers couldn’t retrieve the payload files from the sample that they analyzed because they were no longer present when they investigated. However, they used samples from VirusTotal to peer under the hood," reports ThreatPost. Rapid7 cybersecurity experts discovered the campaign and warned the goal of hackers is to extract out personal data and steal cryptocurrency from infected victim PC.
According to experts, malware is very persistent on PC, exploiting the Windows environment variable and a local scheduled task to make sure it constantly executes with extra privileges. The attack chain initiates when a Chrome browser user opens a malicious site, followed by opening of a "browser ad service" which requests the user to take some action. However, it isn't confirmed what the experts mean by 'browser ad service.' The end goal of the hacker is to steal data using info-stealer malware, stolen data includes browser credentials and cryptocurrency. 

Besides this, other suspicious activities include stopping browser update and creating a system situation suitable for arbitrary commands execution. Hackers have been using a compromised site particularly built for to abuse a Chrome browser version (that runs on windows 10) to provide malicious payloads. The investigations of user chrome browser also showed redirects to various malicious domains and other suspicious redirect chains prior to the first stage infection. 

"Upon further analysis, researchers found that birchlerarroyo[.]com presented a browser notification requesting permission to show notifications to the user. This as well as a reference to a suspicious JavaScript file in its source code led theRapid7 team to suspect that it had been compromised, Iwamaye said.It’s unclear from the research, why or how a user would be coaxed into permitting the site to send notification requests via the Chrome browser. However, once notifications were permitted the browser user was alerted that their Chrome web browser needed to be updated," reports ThreatPost.

Security Researcher Discovers Serious Flaw in Chromium, Bags $15,000 Reward

 

A recently patched vulnerability in the Chromium project enabled malicious parties to inject code in embedded site pages, despite the fact that these resources were separated from the parent website. 

Chromium is an open-source browser project that intends to make the web a safer, faster, and more stable experience for everyone. The site provides design documents, architecture overviews, testing information to assists users in learning to build and work with the Chromium source code.

The security researcher who initially discovered the vulnerability presented a proof of concept that illustrates an attacker-controlled website abusing the vulnerability to manipulate the information of an embedded website, despite the fact that the target and destinations are on different servers. 

As illustrated in a recent post on the Chromium website, the vulnerability may be leveraged even if the web browser "site isolation" feature is turned on. Site isolation is a security feature that divides each website into its own process to increase security. 

According to the expert, inter-process communication of isolated processes featured a race condition, which is an attack that targets systems that must execute the task in several phases. If the system is susceptible for a brief period of time between execution steps, the attacker can take advantage of the security vulnerability to make destructive changes. Among other exploits, this flaw may allow intruders to insert malicious code into embedded sites or steal personal information from users. 

The vulnerability was discovered in late March and resolved before the end of April. The security researcher received $15,000 from Google's Vulnerability Rewards Program for his finding. The vulnerability has been demonstrated as a “site isolation break because of double fetch of shared buffer”. 

“We always appreciate working with the research community through our Vulnerability Rewards Program, and thanks to this report we were able to patch the issue in Chrome 90,” a Google spokesman stated The Daily Swig.

Chrome 92 Update by Google Patches 10 High Severity Vulnerabilities

 

Chrome 92 (92.0.4515.131), the Google security update issued for Windows, Mac, and Linux has patched at least 10 vulnerabilities. Chrome 92, is an update that improves browser efficiency on phish calculations, extends the scope of user website isolation technologies, and includes a few new 'Chrome Actions' to the repertory. 

The search giant established in California has awarded over $133,000 in rewards to users who identified some 35 vulnerabilities addressed in Chrome 92. At least 9 of the flaws were categorized under high severity, the current highest threat level from Google. 

The 360 Alpha Lab team from the Chinese cybersecurity company Qihoo 360's researchers Leecraso and Guang Gong have won $20,000 for detecting a high-severity vulnerability identified as CVE-2021-30590. The issue was described as a bookmark buffer overflow by Google. 

Leecraso told the SecurityWeek team that, CVE-2021-30590 is an issue of sandbox escape that could be "exploited with an extension or a compromised renderer." An intruder can exploit the fault to remotely execute code outside of the sandbox of Chrome. The vulnerability might be leveraged to breakout from the browser's sandbox because of its out-of-bounds write. And it would only need the user to download the extension to take advantage of. 

Google Chrome Sandbox is a creation and test environment for Google Chrome-based applications developers. A test and staging infrastructure is provided by the sandbox environment without the code getting tested for modifications to current code and databases. 

Two vulnerabilities uncovered by researcher David Erceg have also been rated with a high level of severity. CVE-2021-30592, characterized as an off-bound writing problem on Google's Tab Groups, rewarded him $10,000, while CVE-2021-30593 has earned him a $5,000 bug reward, which was defined as an out-of-bounds read bug in Tab Strips. 

“CVE-2021-30592 would require a malicious extension to be installed,” Erceg told SecurityWeek. “As for CVE-2021-30593,” he added, “it would be easier to trigger with an extension, though a web page could trigger the behavior under some more restricted circumstances. The impact is similar to CVE-2021-30592, in that an attacker could potentially escape the sandbox if they could set up memory in the appropriate way before the out-of-bounds read occurs. This issue could also be exploited on its own, but it does require some more specific interaction from the user.” 

CVE-2021-30591, an after-free flaw within the File System API is yet another elevated vulnerability that Google paid out at $20,000. Reportedly, it was discovered by the Researcher SorryMybad of Kunlun Lab.

It is worthy to be noted that Google pays up to $20,000 for Chrome's vulnerabilities of escape sandbox revealed in a high-quality report. If researchers additionally offer a functioning exploit, they can receive up to $30,000 for such flaws. 

Consumers must upgrade Chrome as soon as possible, given that the web browser seems to be increasingly targeted for malicious activity. It is worth noting that this year, Google fixed over half a dozen of zero-day vulnerabilities that were being actively exploited.

Research Reveals More Than 2000 Chrome Extensions Disabled Security Headers

 

Tens of thousands of Google Chrome extensions accessible from the official Chrome Online Store manipulate security headers on major websites, posing the danger of web attacks for visitors. 

Although the security headers are little known, they are a vital aspect of the present internet ecosystem. A key component of website security is the HTTP security header. When implemented, it protects users against the kinds of attacks most probably happening on the website. These headers protect XSS, injection code, clickjacking, etc. 

In many other cases, as per the research team, they examined CSP and other security headers, deactivated Chrome extensions “to introduce additional seemingly benign functionalities on the visited web page,” and didn't even look like it was nefarious in purpose. That is because Chrome's framework forces extensions in the name of security to do that, paradoxically. Standard extension code could access the DOM page, but no scripts on the page can interact. 

If a user has access to the website, the browser requests the webpage of a server. While websites per se are presented through HTML, JavaScript, and CSS code, website owners can direct the browser to handle the provided material in various ways by adding additional parameters in the HTTP connection header. 

While not all websites have security headers, many of today's leading Web services commonly incorporate them to protect their customers against attacks, as they frequently face more web-based attacks than conventional sites, because of their larger size. 

Although website managers are configuring their security headers, this does not mean that security headers are still in existence at the client-side where such things can be detected and prevented by attackers with a mid-range attack scheme, malware executing on an operating system, or browser extensions. 

Researchers at the CISPA Helmholtz Centre stated that they were trying to evaluate the number of Chrome extensions that have been damaged by the security for the first time headers. 

The research team has studied 186,434 Chrome extensions, which were accessible last year on the official Chrome Web Store, using a custom infrastructure they particularly developed for the research. 

Their analysis discovered that 2,485 extensions intercepted and altered at least one safety header used by the most famous today's Top 100 websites. The study focused on the four most prevalent safety headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame Options, and X-Content-Type Options. 

While 2485 extensions had disabled at least one, researchers found that 553 were deactivated by all 4 safety headers studied during their investigation. 

CSP, a security header created to enable site owners to regulate what internet resources a page can charge inside a browser as well as a standard defense to prevent websites and browsers from XSS and dataset injections, was the most widely blocked header for security concerns.

Google Tricked Millions of Chrome Users in the Name of 'Privacy'

 

Google revealed last month that it is rolling out the Federated Learning of Cohorts (FLoC) program, an important part of its ‘Privacy Sandbox Project’ for Chrome. The company advertised FLoC as the latest, privacy-preserving option in Google Chrome to the third-party cookie.

But the real question is can Google truly preserve the privacy of its users? Well, the results of the FLoC trial don’t indicate that. Millions of Chrome users had no control of their involvement in the FLoC trial, they received no personal text, and, currently, they have no option to opt out from the FLoC trial. The only option to leave the trial is by blocking all third-party cookies on their Google Chrome browsers.

What is the FLoC program? 

FLoC is based on machine learning technology designed by Google and is meant to be an alternative to the kind of cookies that advertising technology firms use today to track you across the web. Instead of a personally-identifiable cookie, FLoC runs locally and examines your browsing pattern to group you into a cohort of like-minded people with similar interests (and doesn’t share your browsing history with Google). That cohort is particular enough to permit advertisers to do their thing and show you relevant ads, but without being so specific as to allow marketers to spot you personally. 

This "interest-based trial,” as Google likes to call it, allows you to hide within the crowd of users with similar interests. All the browser displays are cohort ID and all your browsing history and other data stay locally. Google has also started testing the FLoC cookie for some Chrome users which allows them to analyze the new system in an origin trial. 

Last month, Google’s FLoC trial announcement, gave Chrome users no alternative to quitting before the trial started. Instead, Google quietly started to expand its FLoC technology to Chrome users in the US, Canada, Mexico, Australia, New Zealand, Brazil, India, Japan, Indonesia, and the Philippines.

"When other browsers started blocking third-party cookies by default, we were excited about the direction, but worried about the immediate impact. Excited because we need a more private web, and we know third-party cookies aren’t the long-term answer. Overall we felt that blocking third-party cookies outright without viable alternatives for the ecosystem was responsible and even harmful, to the open and free web we all enjoy,” Marshall Vale, Google’s product manager, stated.

Chrome Blocks Port 10080 to Prevent Slipstreaming Hacks

Google Chrome has blocked HTTPS, FTP, and HTTP access to TCP (transmission control protocol) port 10080 to protect ports getting exploited from NAT Slipstreaming 2.0 attacks. In 2020, cybersecurity expert Samy Kamkar revealed a new variant of the NAT Slipstreaming vulnerability that lets scripts on illicit websites avoid a user's NAT firewall and hack into any UDP/TCP port on the target's internal network. By exploiting these vulnerabilities, hackers can deploy a variety of attacks, these include modification of router configurations and hacking into private network services. 

"NAT Slipstreaming was discovered by security researcher Samy Kamkar and it requires the victims to visit the threat actor's malicious website (or a site with maliciously crafted ads). To expose hosted services, the attack abuses certain NAT devices scanning port 5060 to create port forwarding rules when detecting maliciously-crafted HTTP requests camouflaged as valid SIP requests," reported Bleeping Computers in 2019. The flaw only works on selected ports configured by a router's ALG (Application Level Gateway), ports that don't receive much traffic are being blocked by browser developers. 

As of now, Chrome has blocked HTTPS, HTTP, and FTP access on ports 1719, 1720, 1723, 5060, 5061, 69, 137, 161, and 554. Recently, Google said that it is considering blocking TCP port 10080 in Chrome. Firefox had blocked TCP port 10080 already in November last year. But the most worrisome aspect relating to 10080 is may developers may start using it as a replacement to port 80. They may find it useful as the port ends in '80' which makes it attractive. Besides this, the port doesn't require root privileges for binding into Unix systems, said Adam Rice, developer at Google Chrome. 

For developers that want to continue using this post, Mr. Rice will add an enterprise policy that will allow the developers to use the port by overriding the block. If a port is blocked, the user is displayed a "ERR_UNSAFE_PORT" error message while trying to gain access to the port. "If you are currently hosting a website on port 10080, you may want to consider using a different port to allow Google Chrome to continue accessing the site," said Bleeping computer.

Privacy Essentials Vulnerabilities in the DuckDuckGo Browser Extension

 

DuckDuckGo, the widely used web extension for Chrome and Firefox, that is meant to protect the privacy of its users has resolved a universal cross-site scripting (uXSS) flaw. DuckDuckGo Privacy Essentials, which blocks hidden trackers and offers private browsing features, was identified with the vulnerability. The research scientist Wladimir Palant has disclosed that it can allow arbitrary code to be executed on any domain on victims' devices. While the issue has been patched in Chrome, no updates for browsers like Microsoft Edge were published in Mozilla Firefox initially while it was disclosed. 

First of all, for certain internal communication, the extension used unsecure communication chains which ironically caused a certain amount of data leakage through the domain borders. DuckDuckGo's second security vulnerability allowed the DuckDuckGo server to execute arbitrary JavaScripting code on a given domain, and a Cross-Site Scripting (XSS) vulnerability in this extension. 

The security vulnerability could allow malicious actors to spy on all websites visited by the user, making confidential material such as banking and other data available. He says that even when browsing the website it leaves their privacy "completely compromised" and can even utilize web sites with defensive measures, like the security of information. Palant said that someone else controlling ‘http://staticcdn.duckduckgo.com’ can only use this vulnerability, which means that an attacker needs accessing the server. 

 “The data used to decide about spoofing the user agent is downloaded from staticcdn.duckduckgo.co,” Palant wrote. “So the good news [is]: the websites you visit cannot mess with it. The bad news: this data can be manipulated by DuckDuckGo, by Microsoft (hosting provider), or by anybody else who gains access to that server (hackers or government agency).” 

DuckDuckGo Privacy Essentials 2021.3. solves both problems. While initially it solved the issue for Chrome only. For certain reason Mozilla Firefox and Microsoft Edge, two releases were missed (insecure internal communication). Although Firefox and Edge can now have an extension version with the fix. 

These vulnerabilities are very characteristic, because in other extensions he has seen similar errors several times. This extension is not only one where the developers are clueless. The Google Chrome extension platform merely does not offer safe and convenient solutions. So most developers of extensions are bound to do the first attempt wrong. 

“As a more advanced consequence [if the attacker was a government agency], your communication in the browser is no longer private, even when using a secure mail provider like ProtonMail or communicating with journalists via SecureDrop.” 

As informed by a Mozilla spokesperson: "The extension is available in a fixed version now. Firefox users receive it, depending on their extension update settings, either through a manual or automatic update extension check."

Malicious Operations Hide Under The Google Chrome Sync Feature

 

Lately, the threat actors have detected a technique where they can use the sync feature of Google Chrome to transmit commands and steal data from infected systems, circumvent conventional firewalls and other network protections to infected browsers. Chrome sync is a Chrome browser feature that stores copies of a Chrome user's bookmarks, browsing history, browser passwords, and extension settings on Google's cloud servers. This function is used to synchronize the aforementioned data with various devices of a user so that the user still has access to his new Chrome information everywhere. 

On Thursday 4th of January, Bojan Zdrnja, a Croatian security researcher, shared his discovery, wherein a malicious Chrome extension exploited the Chrome sync as a way to connect with a remote command and control (C&C) server and to exfiltrate the details from compromised browsers during the latest incident reaction. 

In addition, Zdrnja added that the attackers had gotten access to a victim's device during the incident he investigated, however, because the data they tried to steal was inside the worker's portal, therefore they downloaded Chrome extension on the user’s system and loaded it in Developer's Mode. It included malicious code that abused Chrome's synchronized functionality to allow attackers to monitor the infected browser, which was used as a security add-on by security company Forcepoint. 

Zdrnja claimed that the purpose of this unique attack was to use the extension to "manipulate data in an internal web application that the victim had access to." 

"While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries," Zdrnja stated in a report. 

"In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim's network by abusing Google's infrastructure," he added, wherein data stored in the key field could be anything. For instance, data obtained from the infected browser may be malicious extensions or commands the attacker desires to run the extension at an infected workstation (for example, usernames, passwords, cryptographic keys, or more).

Although the stolen content or corresponding commands are transmitted via Chrome's infrastructure, no process can be inspected or blocked in the majority of corporate networks, which are normally authorized to run and transfer data unimpeded by the Chrome browser. 

The researcher recommended businesses to use Chrome company and community decision assistance to block and monitor the plugins that could be installed on a browser, prohibiting rogue extensions, such as the one he investigated, from being installed.

Users can now Use 2 Step Verification on their Chrome and Safari Browser


Google has launched a new feature for ensuring users' security. You will now be able to enroll for 2 Factor Authentication Keys from Web browsers. Google is allowing you to enroll security keys on Android and macOS devices by making it easier to register for keys. "Two-factor authentication, also called multiple-factor or multiple-step verification, is an authentication mechanism to double-check that your identity is legitimate."


When you sign in into your account it asks for a username and password, this is the first verification process. Two-factor authentication adds another security layer after this to confirm your identity. It (2FA) could be a pin, a password, a one time password, a physical device, or biometric. It should be something only you have to know. Two-factor authentication is very important as a password isn't as protective as we believe. Cyber attackers can test billions of password combinations in a second.

Two-factor authentication or two-step verification adds another layer of protection besides a password, and it is hard for cybercriminals to get this second factor and reduces their chance to succeed. Now Google is offering these 2FA authentication keys, and you can register for these on macOS devices using Safari (v. 13.0.4 and up), and Android devices running Android 7.0 “N” and up, using the Google Chrome web browser (version 70 and up). Users can register these independently or with those who have signed up for the Advanced Protection Program. It's available for all users given you're using the mentioned version of the software.

What is Security Keys? 

Security Keys are the most secure form of two-factor authentication (2FA) or two-step verification to protect against various threats like hacking and phishing. Users are provided with physical keys that they can insert into the USB port of their device, when required the user will touch the key. On Android devices, the user will have to tap the key on their NFC ( Near Field Communication) enabled device. Android users can also opt for USB and Bluetooth keys. Apple mobile users will be provided Bluetooth-enabled security keys.

Google Cuts Down Chrome's Patch-Gap in Half, from 33 to 15 Days now


Last week, Google has announced the cutting down of 'patch gap' in half for Chrome and the future plans of cutting it down further are also making the headlines.

Security Engineers at Google told that the 'patch gap' for Google Chrome which earlier was 33 days has now been successfully reduced to only 15 days. Some of you might be wondering what exactly a 'patch gap' means, it refers to the time frame it takes from when a security bug gets fixed in an open-source library to when that fix reaches in software which used that library.

These days, when the software ecosystem contains most of the apps relying upon the open-source modules, patch-gap plays a major role as it creates a potential security risk.

How Patch-Gap involve Major Security Risk?

As soon as a security bug gets fixed by someone in a particular open-source library, all the details related to that bug become available in the public domain. It is simply because of the open nature of the open-source libraries and projects. Now, the software which is largely dependent on these easily accessible components available in open source libraries, become vulnerable to the attacks and exploits that hackers can craft by exploiting the details regarding the security flaws.

How Patch-Gap will be Useful?

Considering the likeliness of the aforementioned possibility, if the software developers are releasing patches on a fixed release schedule which includes updates incoming every week or in a couple of months, the patch-gap here will allow hackers to set-off attacks that most software will have difficulty in dealing with.

A member of the Chrome Security team, Andrew R. Whalley said, "We now make regular refresh releases every two weeks, containing the latest severe security fixes,"

"This has brought down the median 'patch gap' from 33 days in Chrome 76 to 15 days in Chrome 78, and we continue to work on improving it," he further told.

Apple Engineers to Standardize the Format of the SMS Messages Containing OTPs


A proposal comes from Apple engineers working at WebKit, the core component of the Safari web browser, to institutionalize the format of the SMS messages containing one-time passwords (OTP) that users receive during the two-factor authentication (2FA) login process.

 With 2 basic goals, the proposal aims initially is to introduce a way that OTP SMS messages can be associated with a URL, which is essentially done by adding the login URL inside the SMS itself.

And the second being to institutionalize the format of 2FA/OTP SMS messages, so browsers and other mobile applications can undoubtedly distinguish the approaching SMS, perceive web domain inside the message, and afterward consequently extract the OTP code and complete the login operation moving forward without any further user interaction.

According to the new proposal, the new SMS format for OTP codes would look like below:

747723 is your WEBSITE authentication code. 
@website.com #747723 

The first line, intended for human users, permits them to decide from what site the SMS OTP code originated from and the second line is for both human users as well as for applications and browsers.

 Applications and browsers will consequently extricate the OTP code and complete the 2FA login operation. In the event that there's a 'mismatch' and the auto-complete operation falls flat, human readers will have the option to see the site's original URL, and contrast it with the site they're attempting to login.

On the off chance that the two are not similar, at that point, users will be alerted that they're very a phishing site and forsake their login activity.

When browsers will deliver components for reading SMS OTP codes in the new format, significant providers of SMS OTP codes are required to switch to utilizing it. Starting now, Twilio has already communicated its enthusiasm for actualizing the new arrangement for its SMS OTP administrations. 

Presently, while Apple (WebKit) and Google (Chromium) engineers are quite energetic about the proposition, Mozilla (Firefox) has not yet given an official criticism on the standard yet.

Vulnerability in Chrome Allows To Virtually Take Over Any Android-Based Device



A critical vulnerability in Chrome for Android apparently exploited and displayed in a quite popular hacking contest is now being known to empower anybody with specialized technical expertise to remotely take control for all intents and purposes any Android-based device. 
Found by PacSec speaker Guang Gong from Qihoo 360 at Pwn2Own the vulnerability in Google's JavaScript v8 is said to purportedly influence all renditions of Android running the latest version of Chrome. 
What makes this specific vulnerability stand out amongst the remaining of the already established hazardous and risky ones is that being a 'one shot exploit', just one is sufficient to remotely hack the device. 
At first, the user is tricked into visiting a vindictive website on Chrome and once there, an attacker effectively installs an arbitrary application into the device thusly gaining full privileges. 
"As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone," it was reported.
Despite the fact that android fixed 33 vulnerabilities, in which, 9 vulnerabilities were categorized under critical severity and rest of the 24 were fixed under "high" severity.
Until now no more insights regarding the exploits have been unveiled. Google, on the other hand has purportedly been made mindful of the Chrome vulnerability, regardless of whether it has been fixed is yet to be affirmed.