Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Internet. Show all posts
Technology
Browser Firefox Internet Mozilla Technology

Malicious Firefox Extension Steals Verification Tokens: Update to stay safe


Credential theft and browser security were commonly found in Google Chrome browsers due to its wide popularity and usage. Recently, however, cyber criminals have started targeting Mozilla Firefox users. A recent report disclosed a total of eight malicious Firefox extensions that could spy on users and even steal verification tokens.

About the malicious extension

Regardless of the web browser we use, criminals are always on the hunt. Threat actors generally prefer malicious extensions or add-ons; therefore, browser vendors like Mozilla offer background protections and public support to minimize these threats as much as possible. Despite such a measure, on July 4th, the Socket Threat Research Team's report revealed that threat actors are still targeting Firefox users. 

According to Kush Pandya, security engineer at Socket Threat Research Team, said that while the “investigation focuses on Firefox extensions, these threats span the entire browser ecosystem.” However, the particular Firefox investigation revealed a total of eight potentially harmful extensions, including user session hijacking to earn commissions on websites, redirection to scam sites, surveillance via an invisible iframe tracking method, and the most serious: authentication theft.

How to mitigate the Firefox attack threat

Users are advised to read the technical details of the extensions. According to Forbes, Mozilla is taking positive action to protect Firefox users from such threats. The company has taken care of the extensions mentioned in the report. According to Mozilla, the malicious extension impacted a very small number of users; some of the extensions have been shut down. 

“We help users customize their browsing experience by featuring a variety of add-ons, manually reviewed by our Firefox Add-ons team, on our Recommended Extensions page,” said a Firefox spokesperson. To protect the users, Mozilla has disabled “extensions that compromise their safety or privacy, or violate its policies, and continuously works to improve its malicious add-on detection tools and processes.”

How to stay safe?

To protect against these threats, Mozilla has advised users to Firefox users to take further steps, cautioning that such extensions are made by third parties. Users should check the extension rating and reviews, and be extra careful of extensions that need excessive permissions that are not compatible with what the extension claims to do. If any extension seems to be malicious, “users should report it for review,” a Firefox spokesperson said. 

Read more »
Technology
AI AI Prompt ChatGPT Gemini Google Internet Technology

Google Gemini Bug Exploits Summaries for Phishing Scams


False AI summaries leading to phishing attacks

Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links.

Google Gemini for Workplace can be compromised to create email summaries that look real but contain harmful instructions or warnings that redirect users to phishing websites without using direct links or attachments. 

Similar attacks were reported in 2024 and afterwards; safeguards were pushed to stop misleading responses. However, the tactic remains a problem for security experts. 

Gemini for attack

A prompt-injection attack on the Gemini model was revealed via cybersecurity researcher Marco Figueoa, at 0din, Mozilla’s bug bounty program for GenAI tools. The tactic creates an email with a hidden directive for Gemini. The threat actor can hide malicious commands in the message body text at the end via CSS and HTML, which changes the font size to zero and color to white. 

According to Marco, who is GenAI Bug Bounty Programs Manager at Mozilla, “Because the injected text is rendered in white-on-white (or otherwise hidden), the victim never sees the instruction in the original message, only the fabricated 'security alert' in the AI-generated summary. Similar indirect prompt attacks on Gemini were first reported in 2024, and Google has already published mitigations, but the technique remains viable today.”

Gmail does not render the malicious instruction as there are no attachments or links present, and the message may reach the victim’s inbox. If the receiver opens the email and asks Gemini to make a summary of the received mail, the AI tool will parse the invisible directive and create the summary. Figueroa provides an example of Gemini following hidden prompts, accompanied by a security warning that the victim’s Gmail password and phone number may be compromised.

Impact

Supply-chain threats: CRM systems, automated ticketing emails, and newsletters can become injection vectors, changing one exploited SaaS account into hundreds of thousands of phishing beacons.

Cross-product surface: The same tactics applies to Gemini in Slides, Drive search, Docs and any workplace where the model is getting third-party content.

According to Marco, “Security teams must treat AI assistants as part of the attack surface and instrument them, sandbox them, and never assume their output is benign.”

Read more »
Windows
AI Android Apple Extortion Internet malware Ransomware Windows

Latest Malware "Mamona" Attacks Locally, Hides by Self Deletion

Latest Malware "Mamona" Attacks Locally, Hides by Self Deletion

Cybersecurity experts are tracing Mamona, a new ransomware strain that is famous for its stripped-down build and silent local execution. Experts believe that the ransomware prevents the usual command-and-control (C2) servers, choosing instead a self-contained method that moves past tools relying on network traffic analysis.  

The malware is executed locally on a Windows system as a standalone binary file. The offline approach reveals a blind spot in traditional defenses, raising questions about how even the best antivirus and detection mechanisms will work when there is no network.

Self-deletion and escape techniques make detection difficult

Once executed, it starts a three-second delay via a modified ping command, ”cmd.exe /C ping 127.0.0.7 -n 3 > Nul & Del /f /q.” After this, it self-deletes. The self-deletion helps to eliminate forensic artifacts that make it difficult for experts to track or examine the malware after it has been executed. 

The malware uses 127.0.0.7 instead of the popular 127.0.0.1, which helps in evading detection measures. This tactic escapes simple detection tests and doesn’t leave digital traces that older file-based scanners might tag. The malware also drops a ransom note titled README.HAes.txt and renames impacted files with the .HAes extension. This means the encryption was successful. 

“We integrated Sysmon with Wazuh to enrich logs from the infected endpoint and created Wazuh detection rules to identify malicious behaviour associated with Mamona ransomware,” said Wazuh in a blog post.

Spotting Mamona

Wazuh has alerted that the “plug-and-play” nature of the malware makes it easy for cybercriminals and helps in the commodization of ransomware. This change highlights an urgent need for robust inspections of what stands as the best ransomware protection when such attacks do not need remote control infrastructure. Wazu’s method to track Mamona involves combining Sysom for log capture and employing custom rules to flag particular behaviours like ransom note creation and ping-based delays.

According to TechRadar, “Rule 100901 targets the creation of the README.HAes.txt file, while Rule 100902 confirms the presence of ransomware when both ransom note activity and the delay/self-delete sequence appear together.”

Read more »
Windows
AI Android Bug Data Exploit Internet Technology Vulnerability Windows

CISA Lists Citrix Bleed 2 as Exploit, Gives One Day Deadline to Patch

CISA Lists Citrix Bleed 2 as Exploit, Gives One Day Deadline to Patch

CISA confirms bug exploit

The US Cybersecurity & Infrastructure Security Agency (CISA) confirms active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777 in Citrix NetScaler ADC and Gateway. It has given federal parties one day to patch the bugs. This unrealistic deadline for deploying the patches is the first since CISA issued the Known Exploited Vulnerabilities (KEV) catalog, highlighting the severity of attacks abusing the security gaps. 

About the critical vulnerability

CVE-2025-5777 is a critical memory safety bug (out-of-bounds memory read) that gives hackers unauthorized access to restricted memory parts. The flaw affects NetScaler devices that are configured as an AAA virtual server or a Gateway. Citrix patched the vulnerabilities via the June 17 updates. 

After that, expert Kevin Beaumont alerted about the flaw’s capability for exploitation if left unaddressed, terming the bug as ‘CitrixBleed 2’ because it shared similarities with the infamous CitrixBleed bug (CVE-2023-4966), which was widely abused in the wild by threat actors.

What is the CitrixBleed 2 exploit?

According to Bleeping Computer, “The first warning of CitrixBleed 2 being exploited came from ReliaQuest on June 27. On July 7, security researchers at watchTowr and Horizon3 published proof-of-concept exploits (PoCs) for CVE-2025-5777, demonstrating how the flaw can be leveraged in attacks that steal user session tokens.”

The rise of exploits

During that time, experts could not spot the signs of active exploitation. Soon, the threat actors started to exploit the bug on a larger scale, and after the attack, they became active on hacker forums, “discussing, working, testing, and publicly sharing feedback on PoCs for the Citrix Bleed 2 vulnerability,” according to Bleeping Computers. 

Hackers showed interest in how to use the available exploits in attacks effectively. The hackers have become more active, and various exploits for the bug have been published.

Now that CISA has confirmed the widespread exploitation of CitrixBleed 2 in attacks, threat actors may have developed their exploits based on the recently released technical information. CISA has suggested to “apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

Read more »
Technology
AI Cloud Data Google Internet Security Breach Technology

Security Breach Reveals "Catwatchful" Spyware is Snooping on Users

Security Breach Reveals "Catwatchful" Spyware is Snooping on Users

A security bug in a stealthy Android spyware operation, “Catwatchful,” has exposed full user databases affecting its 62,000 customers and also its app admin. The vulnerability was found by cybersecurity expert Eric Daigle reported about the spyware app’s full database of email IDs and plaintext passwords used by Catwatchful customers to access stolen data from the devices of their victims. 

Most of the victims were based in India, Argentina, Peru, Mexico, Colombia, Bolivia, and Ecuador. A few records date back to 2018. The leaked database also revealed the identity of the Catwatchful admin called Omar Soca Char.

The Catwatchful database also revealed the identity of the spyware operation’s administrator, Omar Soca Charcov, a developer based in Uruguay.

About Catwatchful

Catwatchful is a spyware that pretends to be a child monitoring app, claiming to be “invisible and can not be detected,” while it uploads the victim’s data to a dashboard accessible to the person who planted the app. The stolen data includes real-time location data, victims’ photos, and messages.  The app can also track live ambient audio from the device’s mic and access the phone camera (both front and rear).

Catwatchful and similar apps are banned on app stores, and depend on being downloaded and deployed by someone having physical access to a victim’s phone. These apps are famous as “stalkerware” or “spouseware” as they are capable of unauthorized and illegal non-consensual surveillance of romantic partners and spouses. 

Rise of spyware apps

The Catwatchful incident is the fifth and latest in this year’s growing list of stalkerware scams that have been breached, hacked, or had their data exposed. 

How was the spyware found?

Daigle has previously discovered stalkerware exploits. Catwatchful uses a custom-made API, which the planted app uses to communicate to send data back to Catwatchful servers. The stalkerware also uses Google Firebase to host and store stolen data. 

According to Techradar, the “data was stored on Google Firebase, sent via a custom API that was unauthenticated, resulting in open access to user and victim data. The report also confirms that, although hosting had initially been suspended by HostGator, it had been restored via another temporary domain."

Read more »
Windows
Apple Google Internet Microsoft Passkeys Passwords Technology Windows

Ditch Passwords, Use Passkeys to Secure Your Account

Ditch Passwords, Use Passkeys to Secure Your Account

Ditch passwords, use passkeys

Microsoft and Google users, in particular, have been warned about ditching passwords for passkeys. Passwords are easy to steal and can unlock your digital life. Microsoft has been at the forefront, confirming it will delete passwords for more than a billion users. Google, too, has warned that most of its users will have to add passkeys to their accounts. 

What are passkeys?

Instead of a username and password, passkeys use our device security to log into our account. This means that there is no password to hack and no two-factor authentication codes to bypass, making it phishing-resistant.

At the same time, the Okta team warned that it found threat actors exploiting v0, an advanced GenAI tool made by Vercelopens, to create phishing websites that mimic real sign-in webpages

Okta warns users to not use passwords

A video shows how this works, raising concerns about users still using passwords to sign into their accounts, even when backed by multi-factor authentication, and “especially if that 2FA is nothing better than SMS, which is now little better than nothing at all,” according to Forbes. 

According to Okta, “This signals a new evolution in the weaponization of GenAI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts. The technology is being used to build replicas of the legitimate sign-in pages of multiple brands, including an Okta customer.”

Why are passwords not safe?

It is shocking how easy a login webpage can be mimicked. Users should not be surprised that today’s cyber criminals are exploiting and weaponizing GenAI features to advance and streamline their phishing attacks. AI in the wrong hands can have massive repercussions for the cybersecurity industry.

According to Forbes, “Gone are the days of clumsy imagery and texts and fake sign-in pages that can be detected in an instant. These latest attacks need a technical solution.”

Users are advised to add passkeys to their accounts if available and stop using passwords when signing in to their accounts. Users should also ensure that if they use passwords, they should be long and unique, and not backed up by SMS 2-factor authentication. 

Read more »
Ransomware
AI Cyber Security Dark Web Extortion Internet Ransomware

Investigation Reveals Employee Secretly Helped in Extortion Payments

Investigation Reveals Employee Secretly Helped in Extortion Payments

Employee helped in ransomware operations

Federal agents are investigating allegations that a former employee of a Chicago-based firm, DigitalMint, which specializes in cryptocurrency payments and ransomware negotiations, may have profited by collaborating with hackers in extortion cases. Founded in 2014, DigitalMint operates under the name Red Leaf Chicago and is recognized for securing cryptocurrency payments for companies that face ransomware threats. 

About DigitalMint

DigitalMint has taken over 2,000 ransomware cases since 2017, offering services like direct negotiations with hackers and incident response. The clients range from small firms to Fortune 500 companies. 

DigitalMint President Marc Jason told partner firms that the US Department of Justice (DoJ) is investigating the allegations. The employee (identity unknown) was sacked soon after the scam was found. According to Bloomberg, Grens said, “As soon as we were able, we began communicating the facts to affected stakeholders.” 

About the investigation

DigitalMint is currently working with the DoJ, and it clarified that the company is not the target of investigation. Grens did not provide more details as the investigation is ongoing. The DoJ declined to offer any comments. 

The incident has led a few firms to warn clients against dealing with DigitalMint, concerned about the dangers involved in ransomware deals. Ransomware attacks can compromise systems, leak sensitive information, and encrypt data. The ransom demands sometimes go upto millions of dollars, worldwide, the extortion attacks cost billions of dollars every year.

Is ransomware negotiation worth it?

The controversy has also raised questions about conflicts of interest in the ransomware negotiation industry. According to James Talientoo, chief executive of the cyber intelligence services company AFTRDRK, “A negotiator is not incentivized to drive the price down or to inform the victim of all the facts if the company they work for is profiting off the size of the demand paid. Plain and simple.”

Security experts cautioned that paying ransom is a dangerous effort, even when done by expert ransom negotiation firms. A payment helps in furthering the operations of ransomware gangs, and sometimes it can also lead to further attacks.

Read more »
North Korea
AI Artificial Intelligence Cloud Cyber Crime Data Deepfakes Extortion Internet lazarus North Korea

Amid Federal Crackdown, Microsoft Warns Against Rising North Korean Jobs Scams

Amid Federal Crackdown, Microsoft Warns Against Rising North Korean Jobs Scams

North Korean hackers are infiltrating high-profile US-based tech firms through scams. Recently, they have even advanced their tactics, according to the experts. In a recent investigation by Microsoft, the company has requested its peers to enforce stronger pre-employment verification measures and make policies to stop unauthorized IT management tools. 

Further investigation by the US government revealed that these actors were working to steal money for the North Korean government and use the funds to run its government operations and its weapons program.  

US imposes sanctions against North Korea

The US has imposed strict sanctions on North Korea, which restrict US companies from hiring North Korean nationals. It has led to threat actors making fake identities and using all kinds of tricks (such as VPNs) to obscure their real identities and locations. This is being done to avoid getting caught and get easily hired. 

Recently, the threat actors have started using spoof tactics such as voice-changing tools and AI-generated documents to appear credible. In one incident, the scammers somehow used an individual residing in New Jersey, who set up shell companies to fool victims into believing they were paying a legitimate local business. The same individual also helped overseas partners to get recruited. 

DoJ arrests accused

The clever campaign has now come to an end, as the US Department of Justice (DoJ) arrested and charged a US national called Zhenxing “Danny” Wanf with operating a “year-long” scam. The scheme earned over $5 million. The agency also arrested eight more people - six Chinese and two Taiwanese nationals. The arrested individuals are charged with money laundering, identity theft, hacking, sanctions violations, and conspiring to commit wire fraud.

In addition to getting paid in these jobs, which Microsoft says is a hefty payment, these individuals also get access to private organization data. They exploit this access by stealing sensitive information and blackmailing the company.

Lazarus group behind such scams

One of the largest and most infamous hacking gangs worldwide is the North Korean state-sponsored group, Lazarus. According to experts, the gang extorted billions of dollars from the Korean government through similar scams. The entire campaign is popular as “Operation DreamJob”. 

"To disrupt this activity and protect our customers, we’ve suspended 3,000 known Microsoft consumer accounts (Outlook/Hotmail) created by North Korean IT workers," said Microsoft.

Read more »
Subscribe to: Posts (Atom)