Search This Blog

Showing posts with label JavaScript. Show all posts

Recent Updates in Microsoft Teams Includes Decreased Latency

At its Ignite 2022 conference, Microsoft released a number of new Teams chat and meeting capabilities. The major news is that Microsoft intends to revamp Microsoft Teams to enhance the current channel experience.

When dealing with the Teams desktop client in some crucial situations, Microsoft has considerably decreased latency for Windows and Mac users.

The software is now more than 30% faster when navigating between chat and channel threads, according to Jeff Chen, a Microsoft Principal Group Program Manager for Microsoft Teams.

Chen claimed that the updated Teams framework, which now renders the HTML tree more quickly, runs JavaScript more effectively, and serializes arrays with greater efficiency, is the cause of these significant speed increases.

Microsoft also made improvements to messaging latency and page load speeds in June, including 63% faster message-composing box loads and an 11% improvement in scrolling across chat and channel lists.

In February, the business announced that Teams dramatically reduces the amount of power needed for meetings, utilizing up to 50% less power for energy-intensive scenarios in video meetings with more than 10 participants.

New Updates on Teams

Assign seats in Together mode

During virtual meetings, the Together mode enhances the sense that everyone is present in the same space. Meeting planners and presenters can now assign seats to attendees in Together mode thanks to the most recent innovation.

Shared content will open in a separate window

Users will soon have the option to pop out shared meeting content in a separate window, making it easier to see both shared content and meeting participants.

Live captioning in Teams Premium

With live translated captions for Microsoft Teams, meeting attendees may read captions in their native tongue thanks to AI-powered, real-time translations from 40 spoken languages.

Comprehensive call history

Having access to call recordings and transcriptions from call details along with this comprehensive call history provides the background to be productive and effective.

Adobe PDF expertise (collaboration with Microsoft)

To view and edit PDF files in Microsoft Teams, tenant admins can set Adobe Acrobat as the default application in the Teams admin center.

Since June 2020, Redmond has been striving to reduce the number of resources used by Teams, implementing changes gradually. Since the beginning of the COVID-19 epidemic and the shift to remote working, Microsoft Teams has had a significant influx of new members, surpassing 270 million monthly active users in January 2021.








Malicious Actors Are Exploiting ‘App Mode’ in Chromium Browsers for Phishing Attacks

 

Thanks to a new phishing technique, malicious actors could siphon private details by merely impersonating legit login forms in Application Mode. 

The Application Mode feature can be accessed in all Chromium-based browsers, which includes Google Chrome, Microsoft Edge, and Brave. 

According to mr.d0x, a security researcher who has also unearthed the Browser-in-the-Browser (BitB) attack and Microsoft WebView2 phishing methods previously, desktop applications are normally harder to spoof, hence, victims don’t pay much attention to as compared to browser windows that are more widely exploited for phishing. 

Chrome's application mode is created to provide native-like experiences in a manner that causes the website to be launched in a separate browser window, while also showing the website's favicon and concealing the address bar. 

Additionally, the hacker-controlled malicious site can employ JavaScript to perform multiple operations, such as immediately closing the window when the victim inputs the credentials or resizing and positioning it to gain the desired result. 

It's worth noting that the methodology works on other operating systems as well, including macOS and Linux, making it a possible cross-platform threat. However, the effectiveness of the assault depends on the hacker gaining control over the computer before following up with this phishing technique, be it via malware or through directing the victim to enable it and run a Windows shortcut with the malicious URL. 

Meanwhile, Google is discontinuing support for Chrome apps in favor of Progressive Web Apps (PWAs) and web-standard technologies, and the feature is likely to be completely phased out in Chrome 109 or later on Windows, macOS, and Linux. 

"The --app feature was deprecated before this research was published, and we are taking its potential for abuse into account as we consider its future. Users should be aware that running any file provided by an attacker is dangerous. Google's Safe Browsing helps protect against unsafe files and websites,” Google stated.

“While Safe Browsing is enabled by default in Chrome, users may want to enable Enhanced protection, which inspects the safety of your downloads to better warn you when a file may be dangerous. Enhanced protection can be found in Chrome Settings > Privacy and security > Security.We encourage the security research community to continue to report issues and vulnerabilities through our vulnerability rewards program: g.co/chrome/vrp."

 Bogus DDoS Protection Alerts Distribute RATs

Researchers from Sucuri cautioned that malware distributors are luring users into downloading and running malware on their computers by taking advantage of their expertise and innate trust in DDoS protection pages.

DDoS protection alerts are web pages that users' browsers deliver when checks are made to ensure that the visitor is actually a human and not a bot or a DDoS assault participant.

Tactics of the scam 

These warnings would appear to be an inconvenience, but their sole purpose was to serve as preliminary checks before the user accessed the intended web page. They are also important to ensure malicious traffic is blocked before it reaches its objectives.

The attacks start with a malicious JavaScript injection intended to target WordPress sites, which causes a bogus Cloudflare DDoS protection pop-up, according to Sucuri's experts.

When the user clicks on the bogus popup, an ISO file containing a remote access trojan (RAT) is downloaded onto their machine. In addition, the victim is told to open the file to get a verification code needed to access the target website.

The NetSupport RAT, RaccoonStealer information stealer, and two more payloads were seen being dropped by the ISO file.

The RAT is frequently used to screen victims before the distribution of ransomware and has been related to FakeUpdates/SocGholish. According to Malwarebytes researcher Jerome Segura, the ISO file contains a shortcut that pretends to be executable and executes PowerShell from another text file.

NetSupport RAT, which was at first a genuine program called NetSupport Manager, gives hackers remote access to the victim's computer, allowing them to install more malware, steal sensitive data, or even entangle the system in a botnet.

As website owners struggle to distinguish genuine visitors from the voluminous bot traffic, these have grown in popularity in recent years.

"Remote access trojans (RATs) are among the most harmful infections a computer can contract as they offer the attackers total control of the system. The victim is now entirely at their mercy. Both site owners and visitors can take all necessary safety procedures", as per Sucuri.

Users are advised to avoid downloading and opening odd files, update their operating system and applications frequently and consider installing a script-blocking browser extension.




NPM JavaScript Package Repository Targeted by Widespread Cryptomining Campaign

 

Checkmarx researchers have unearthed a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. 

The hacker behind this malicious campaign, dubbed CuteBoi, published 1,283 modules in the repository and employed over 1,000 different user accounts. The researchers discovered the supply chain assault after spotting a burst of suspicious NPM users and packages designed automatically. 

“Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass the NPM 2FA challenge. This cluster of packages seems to be a part of an attacker experimenting at this point,” reads the post published by Israeli application security testing firm Checkmarx. 

All the rogue packages impersonated a near-identical source code from an already existing package named eazyminer that's employed to mine Monero by means of utilizing unused resources of systems such as ci/cd and web servers. One notable modification entails the URL to which the mined cryptocurrency should be sent, although installing the rogue modules will not bring about a negative effect. 

"The copied code from eazyminer includes a miner functionality intended to be triggered from within another program and not as a standalone tool," researcher Aviad Gershon explained. "The attacker didn't change this feature of the code and for that reason, it won't run upon installation." 

As observed in the case of RED-LILI earlier this year, the packages are published via an automation methodology that allows hackers to bypass two-factor authentication (2FA) protections. 

However, while the former involved setting up a custom server and using a combination of tools like Selenium and Interactsh to programmatically design an NPM user account and defeat 2FA, CuteBoi depends on a disposable email service called mail.tm to automate the creation of the users that upload the packages to the NPM repository. 

Specifically, it utilizes a REST API provided by the free platform that enables "programs to open disposable mailboxes and read the received emails sent to them with a simple API call." In this, hackers behind the CuteBoi campaign can circumvent the NPM 2FA challenge when creating a flood of user accounts to publish the packages. 

Earlier this week, security research uncovered another NPM-related large-scale software supply chain attack dubbed IconBurst designed to siphon sensitive data from forms embedded in downstream mobile applications and websites. 

Attack Against NPM Software Supply Chain Unearthed

 

Iconburst's most recent attack is described as a massive and well-planned effort to spread malicious Javascript packages distributed through the open-source NPM package system.

Upon further analysis, evidence of a planned supply chain assault was found, with numerous NPM packages containing jQuery scripts created to steal data from deployed apps that use them, as per researchers.

ReversingLabs noted that the malicious packages we identified are probably used by hundreds or thousands of downstream mobile and desktop programs as well as websites, even if the full scope of this assault is still unknown. In one instance, malicious software had been downloaded more than 17,000 times.

Obfuscation used 

The firm said that its analysis of the modules had found signs of coordination, with malicious modules linked to a select group of NPM publishers and recurrent patterns in the infrastructure that supported them, such as unencrypted domains.

“The revelation of a javascript obfuscator was the first trigger for our team to examine a broad variety of NPM packages, the majority of which had been released within the previous two months and utilized the stated obfuscator. It revealed more than 20 NPM packages in total. When these NPM modules are examined in greater detail, it becomes clear that they are associated with one of a small number of NPM accounts with names like ionic-io, arpanrizki, kbrstore, and aselole,” according to ReversingLabs. 

Meanwhile, Checkmarx said, "Roughly a thousand unique user accounts released over 1200 NPM packages to the registry, which we found. Automation was used, which allowed for the successful completion of the NPM 2FA challenge. At this moment, this collection of packages appears to be a part of an attacker's testing." 

Obfuscated malware data theft 

The de-obfuscated examples underwent a thorough analysis, which showed that every one of them collects form data using jQuery Ajax methods and subsequently exploits that data to different domains controlled by malevolent writers.

To exfiltrate serialized form data to domains under the attacker's control, the malicious packages employ a modified script that extends the functionality of the jQuery ajax() function. The function verifies the URL content before transmitting the data to carry out target filtering checks. 

Attack on supply chain 

The NPM modules which ReversingLabs found have been downloaded more than 27,000 times in total. The attacks occurred for months before coming to attention because very few development firms can identify malicious software within open source libraries and modules.

"It is certain from the report of this study that software development businesses and their clients both require new tools and procedures for evaluating supply chain risks, such as those posed by these malicious NPM packages," researchers told.

"Applications and services are only as secure as their weakest component due to the decentralized and modular nature of application development. The attack's success—more than two dozen malicious modules were made available for download on a well-known package repository, and one of them received 17,000 downloads in just a few weeks—underscores the lax standards for application development and the low barriers that prevent malicious or even vulnerable code from exploiting IT environments and sensitive applications," ReversingLabs further added.

Newly Detected Magecart Infrastructure Discloses the Scale of Ongoing Campaign

 

A recently discovered Magecart skimming campaign has its origins in an earlier attack activity dating back to November 2021. 

To that end, Malwarebytes revealed in a Tuesday investigation that two malware domains identified as hosting credit card skimmer code — "scanalytic[.]org" and "js.staticounter[.]net" — are part of a larger infrastructure used to carry out the attacks. 

Jérôme Segura stated, "We were able to connect these two domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines. However, both of them are now devoid of VM detection code. It's unclear why the threat actors removed it, unless perhaps it caused more issues than benefits." 

Based on the other domains discovered, the earliest indication of campaign activity has been around since May 2020. Magecart is a cybercrime syndicate made up of dozens of subgroups that specialise in hacks involving digital credit card fraud through the injection of JavaScript code into e-commerce shops, often on checkout pages. 

Operatives obtain access to websites either directly or through third-party firms that provide software to the targeted websites. While the attacks first received attention in 2015 for targeting the Magento e-commerce platform (the term Magecart is a combination of "Magento" and "shopping cart"), they have now spread to other platforms, including a WordPress plugin called WooCommerce. 

According to a Sucuri study published in April 2022, WordPress has surpassed Magento as the leading CMS platform for credit card skimming malware, exceeding Magento as of July 2021, with skimmers hidden in websites as false photos and seemingly harmless JavaScript theme files. 

Furthermore, during the first five months of 2022, WordPress websites accounted for 61 per cent of known credit card skimmer malware detections, followed by Magento (15.6 per cent), OpenCart (5.5 per cent), and others (17.7 per cent). 

"Attackers follow the money, so it was only a matter of time before they shifted their focus toward the most popular e-commerce platform on the web," Sucuri's Ben Martin stated at the time.

"NakedPages" Phishing Toolkit Advertised for Sale on Cybercrime and Telegram Platforms

 

CloudSEK researchers have unearthed a brand new sophisticated phishing toolkit dubbed "NakedPages” which is advertised for sale on multiple cybercrime platforms and Telegram channels. 

The toolkit, which was designed using NodeJS Framework operates JavaScript code and is fully automated having more than 50 phishing templates and site projects. 

“Naked Pages is the phishing tool any serious developer//spammer needs with more features than any other reverse proxy combined or PHP phishing framework combined,” reads an advertisement on a cybercrime forum.

Additionally, the advertisement mentions that there is a possibility of providing software licenses if the buyer pays $1000 upfront and contributes by sharing new thoughts for the open-source project on GitHub. The buyers can contact the hacker via a Google Forms page. 

According to CloudSEK researchers, the toolkit is manufactured to work on Linux and requests for read, write and execute permissions from the ‘user’ and also asks for learning and execute permissions from both ‘group’ and ‘others’ in order to function smoothly. 

Moreover, the toolkit is laced with fully-integrated and battle-based anti-bot features, capable of sporting security bugs of different types from over 120 nations.

“[NakedPages] would equip malicious actors with the details required to launch sophisticated ransomware attacks,” researchers explained.

CloudSEK has not identified the author behind the new phishing toolkit but believes there is a new player on GitHub and the cybercrime platform, with both accounts being less than a month old. “There have been no concrete samples shared by the threat actor. Repeated attempts for establishing contact were made by our source, but the threat actor hasn’t responded,” CloudSEK stated. 

The researchers also issued an advisory to the users who may be impacted by NakedPages to monitor for anomalies in accounts and systems that could be indicators of possible account breaches and execute multi-factor authentication (MFA) practices across all accounts. 

Last month, the Resecurity Hunter unit detected a new phishing campaign, dubbed Frappo, disseminated aggressively on the dark web and via Telegram channels. The phishing campaign allowed scammers to host and design high-quality phishing websites that mimicked popular online banking, e-commerce, and retail services in order to exfiltrate private data from their target customers. 

The phishing pages impersonated 20 financial institutions (FIs), online retailers, and popular services – including Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi and Bank of America.

Experts Find Malware Controlling Thousands of Websites in Parrot TDS Network

The Parrot traffic direction system (TDS) that surfaced recently had a huge impact than what was thought earlier, research suggests. The malware affected more than 61,000 websites and was one of the top infections. Parrot TDS was first identified in April 2022 by cybersecurity company Avast, the PHP script had affected web servers that hosted more than 16,500 websites, acting as a gateway for future malware campaigns. It includes appending a part of infected code to all JavaScript files on affected web servers that host content management systems (CMS) like WordPress, these are attacked because of their weak login credentials and flawed plugins. 

"In 2021 alone, Sucuri said it removed Parrot TDS from nearly 20 million JavaScript files found on infected sites. In the first five months of 2022, over 2,900 PHP and 1.64 million JavaScript files have been observed containing the malware," reports The Hacker News. Alongside the use of sneaky techniques to hide the code, the "injected JavaScript may also be found well indented so that it looks less suspicious to a casual observer," said Denis Sinegubko, expert at Sucuri says. 

The aim of the JavaScript code is to jump-start the second phase of the attack, to deploy a PHP script that has been already injected on the server and is built to obtain information about website visitor, (for ex- IPs, browser, referrer, etc.) and send the details to a remote server. The third phase of the attack surfaces as a Javascript code, it works as a traffic direction system to find out the specific payload to send for a particular user based on the data which was shared in the second stage. 

When the TDS has confirmed the eligibility of a particular site visitor, the NDSX script deploys the final payload through a third-party website. The mostly used third-stage malware is a JavaScript downloader called FakeUpdates. 

"The NDSW malware campaign is extremely successful because it uses a versatile exploitation toolkit that constantly adds new disclosed and 0-day vulnerabilities. Once the bad actor has gained unauthorized access to the environment, they add various backdoors and CMS admin users to maintain access to the compromised website long after the original vulnerability is closed," said Sinegubko.

German Firms Targeted by Malicious NPM Packages

 

JFrog researchers have uncovered multiple malicious packages in the NPM registry particularly targeting several popular media, logistics, and industrial companies based in Germany to carry out supply chain assaults. 

"Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine," researchers said in a new report. 

According to the DevOps company, the evidence discovered suggests it is either the work of a sophisticated hacker or a "very aggressive" penetration test. Four maintainers— bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm— have been associated with all the rogue packages; most of the packages have been taken down from the repository.

The finding points out that the hackers are trying to copy legitimate firms like Bertelsmann, Bosch, Stihl, and DB Schenker. Some of the package names are distinct, which makes it likely that the adversary managed to trace the libraries hosted in the companies’ internal repositories to launch a dependency confusion attack. 

The findings are based on a report from Snyk late last month that detailed one of the malicious packages, "gxm-reference-web-auth-server," noting that the malware is targeting an unknown firm that has the same package in their private registry.

"The attacker(s) likely had information about the existence of such a package in the company's private registry," the Snyk security research team said. According to researchers at Reversing Labs, who independently examined the hacks, the rogue modules uploaded to NPM featured elevated version numbers than their private counterparts to force the modules onto target environments.

"The targeted private packages for the transportation and logistics firm had versions 0.5.69 and 4.0.48, while the malicious, public versions were identically named, but used versions 0.5.70 and 4.0.49," the cybersecurity firm explained. 

Calling the implant an "in-house development," JFrog pointed out that the malware contains two components, a dropper that sends information about the infected machine to a remote telemetry server before decrypting and executing a JavaScript backdoor. The backdoor, while lacking a persistence mechanism, is designed to receive and execute commands sent from a hard-coded command-and-control server, evaluate arbitrary JavaScript code, and upload files back to the server. 

Earlier this week, a German penetration testing company named Code White has owned up to uploading the malicious packages in question, adding it was an attempt to "mimic realistic threat actors for dedicated clients."

Microweber Creators Patched XSS Flaw in CMS Software

 

Microweber, an open-source website builder and content management system, has a stored cross-site scripting (XSS) vulnerability, according to security researchers. 

The security flaw, identified as CVE-2022-0930 by researchers James Yeung and Bozhidar Slaveykov, was patched in Microweber version 1.2.12. The issue developed as a result of flaws in older versions of Microweber's content filtering protections. 

Because of these flaws, attackers could upload an XSS payload as long as it contained a file ending in 'html' — a category that encompasses far more than simply plain.html files. Once this payload is uploaded, a URL with malicious HTML can be viewed and malicious JavaScript performed. 

An attacker could steal cookies before impersonating a victim, potentially the administrator of a compromised system, by controlling a script that runs in the victim's browser. A technical blog article by Yeung and Slaveykov, which includes a proof-of-concept exploit, gives additional detail about the assault. Microweber was asked to comment on the researchers' findings via a message sent through a webform on The Daily Swig's website. Microweber responded by confirming that the "issue is already fixed." 

When asked how they found Microweber as a target, Yeung told The Daily Swig, “I came across huntr.dev and found other researchers had found vulnerabilities on Microweber and that's why I joined that mania!” 

The vulnerabilities discovered in Microweber are similar to those found in other comparable enterprise software packages. The researcher explained, “I have found similar vulnerabilities in multiple CMS like Microweber, and I found that most of them are lacking user input sanitization from HTTP requests (some of which are not intended to be submitted from client).” 

To avoid issues in this area, Yeung determined that developers should gradually shift toward allow-lists and away from utilising block-lists.

Log4Shell Utilized for Crypto Mining and Botnet Creation

 

The serious problem in Apache's widely used Log4j project, known as Log4Shell, hasn't caused the calamity predicted, but it is still being exploited, primarily from cloud servers in the United States. Because it was reasonably straightforward to exploit and since the Java application logging library is implemented in many different services, the Log4Shell vulnerability was brought to attention as it raised concerns for being potentially abused by attackers. 

According to a Barracuda study, the targeting of Log4Shell has fluctuated over the last few months, but the frequency of exploitation attempts has remained pretty stable. Barracuda discovered the majority of exploitation attempts originated in the United States, followed by Japan, Central Europe, and Russia. 

Researchers discovered the Log4j version 2.14.1 in December 2021. Reportedly, all prior versions were vulnerable to CVE-2021-44228, also known as "Log4Shell," a significant zero-day remote code execution bug.

Log4j's creator, Apache, attempted to fix the problem by releasing version 2.15.0. However, the vulnerabilities and security flaws prolonged the patching race until the end of every year, when version 2.17.1 ultimately fixed all issues. 

Mirai malware infiltrates a botnet of remotely managed bots by targeting publicly outed network cameras, routers, and other devices. The threat actor can then use this botnet to launch DDoS assaults on a single target, exhausting its resources and disrupting any online services. The malicious actors behind these operations either rent vast botnet firepower to others or undertake DDoS attacks to extort money from businesses. Other payloads which have been discovered as a result of current Log4j exploitation include: 

  • Malware is known as BillGates (DDoS)
  • Kinsing is a term used to describe the act of (cryptominer) 
  • XMRig XMRig XMRig X (cryptominer) 
  • Muhstik Muhstik Muhstik (DDoS) 

The payloads range from harmless online jokes to crypto-mining software, which utilizes another person's computers to solve equations and earn the attacker cryptocurrency like Monero. 

The simplest method to protect oneself from these attacks is to update Log4j to version 2.17.1 or later, and to maintain all of the web apps up to date. Even if the bulk of threat actors lose interest, some will continue to target insecure Log4j deployments since the numbers are still significant. 

Security updates have been applied to valuable firms which were lucrative targets for ransomware assaults, but neglected systems running earlier versions are good targets for crypto mining and DDoS attacks.

Web Skimmer Code was Injected Into 100 Real Estate Websites

 

An unknown cloud video platform was used to inject web skimmer code into over 100 real estate websites owned by the same parent company. Skimmer attacks, which are becoming more common, entail the use of malicious JavaScript code to steal data provided by users on the targeted website. According to Palo Alto Networks, as part of this current attack, skimmer code was injected into a video such that it was automatically integrated into websites that imported the video. 

Palo Alto Networks, Inc. is a multinational cybersecurity company based in Santa Clara, California. Its key products are a platform with powerful firewalls and cloud-based services that expand those firewalls to encompass other elements of security. Over 70,000 enterprises in over 150 countries, including 85 of the Fortune 100, rely on the company's services.

Because the misused cloud video platform allows users to add their own JavaScript customizations to players by uploading a JavaScript file that is incorporated in the player, the attack was conceivable. Taking advantage of this feature, the threat actors offered a script that could be modified upstream, allowing them to add harmful content after the player was created. 

To gain a better grasp of the code, researchers divided it into four sections. Part one's code is used to decode the string array – u, and the decryption function is 1. Researchers obtained a plain text array after decryption. Part two defines three functions: function c replaces a string with a regex pattern, function d checks whether a string matches a credit card pattern. It was discovered by researchers using four regex patterns. And function f is used to check credit card numbers using the Luhn algorithm. 

Part three consists of anti-debug code. It just checks to see if the variables window.Firebug, window.Firebug.chrome, and window.Firebug.chrome.isInitialized exist. In addition, it sends a devtoolschange message to see if the Chrome console is open. After decryption, the code samples become quite evident in part four. 

“We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player,” Palo Alto Networks notes. The JavaScript code was designed to identify credit card patterns, verify credit card numbers, collect card data, and transfer it to the attackers. It was highly obfuscated to mask its nefarious purpose.

Microsoft Issued a Warning About a Rise in HTML Smuggling Phishing Attacks

 

Malware campaigns that use HTML smuggling to transmit banking malware and remote access trojans (RAT) have increased, according to Microsoft. While HTML smuggling is not a new tactic, it is increasingly being employed by threat actors to avoid detection, such as the Nobelium hacking organization behind the SolarWinds attacks. 

HTML smuggling is a nasty method that gets through traditional network perimeter security measures like web proxies and email gateways because the malware is created within the network after an employee opens a web page or attachment that contains a malicious HTML script. As a result, even if gateway devices check for suspicious EXE, ZIP, or Office documents, a company's network can be compromised. 

"When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall," Microsoft warns. 

HTML smuggling is a phishing method that uses HTML5 and JavaScript to encrypt strings in an HTML attachment or webpage to hide harmful payloads. When a user opens an attachment or clicks a link, the browser decodes these strings. A phishing HTML attachment, for example, could include a harmless link to a well-known website, making it appear non-malicious. When a user clicks on the link, however, JavaScript decodes an encrypted or encoded string in the link and converts it into a harmful attachment that is downloaded instead. 

Because the malicious payload is encoded at first, security software does not recognize it as harmful. Furthermore, because JavaScript assembles the payload on the target machine, it gets around any firewalls and security measures that would normally stop the malicious file from getting past the perimeter. 

"Disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs. However, JavaScript is used to render business-related and other legitimate web pages," Microsoft explains. "In addition, there are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection." Between July and August, Microsoft discovered an increase in HTML smuggling in campaigns that transmit RATs like AsyncRAT/NJRAT.

$100 Million Pledged by Google to Groups that Manage Open-Source Projects

 

Google recently announced a $100 million donation to organizations that manage open-source security priorities and assist with vulnerability fixes, and it has now revealed eight of the projects it will fund. The Linux Foundation recently stated that it will directly support persons working on open-source project security. Google, Microsoft, the Open Source Security Foundation, and the Linux Foundation Public Health Foundation have all endorsed it. When problems are discovered, the Linux Foundation coordinates fixes. 

The foundation and its colleagues will use the Open Source Technology Improvement Fund's (OSTIF) security assessments to hunt for previously discovered problems. Two Linux kernel security audits are among these initiatives. 

The Open Source Technology Improvement Fund is a non-profit corporation committed to improving the security of open-source software. OSTIF makes it simple for projects to dramatically improve security by enabling security audits and reviews. 

"Google's support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand in-depth security reviews to critical projects vital to the open-source ecosystem," said Kaylin Trychon, a security comms manager on the Google Open Source Security team.

OSTIF selected 25 essential projects for MAP, which were then prioritized to determine the eight that will get Google funding. Trychon explains that the eight chosen projects, which include libraries, frameworks, and applications, were chosen because enhancing their security will have the most influence on the open-source ecosystem. 

Along with five other Java-related projects, these eight projects include Git, a prominent version control software, Lodash, a JavaScript utility library, and Laravel, a PHP web application framework. Git, the "de facto" version control software established by Linux kernel founder Linus Torvalds and which forms the backbone of platforms like GitHub and GitLab, is perhaps the largest of the eight audit projects Google is sponsoring. 

Well-known systems and tools used by developers, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat's Ansible, and Google's Guava Java framework, are among the projects with funding pending support. 

Google made a $10 billion commitment to boosting zero-trust programmes, securing software supply chains, and enhancing open-source security following a meeting between US President Joe Biden and leading US tech corporations last month.

Spook.js: Chrome is Threatened by a New Spectre Like Attack

 

A newly found side-channel attack targeting Google Chrome might allow an attacker to use a Spectre-style attack to bypass the web browser's security protections and extract sensitive information. Spook.js is a novel transient execution side-channel attack that specifically targets Chrome. Despite Google's efforts to minimize Spectre by installing Strict Site Isolation, malicious JavaScript code can still extract information in some instances. 

An attacker-controlled webpage can learn which other pages from the same website a user is presently viewing, collect sensitive information from these pages, and even recover auto-filled login credentials (e.g., username and password). If a user downloads a malicious extension, the attacker may obtain data from Chrome extensions (such as credential managers). 

Spectre, which made news across the world in 2018, makes use of vulnerabilities in contemporary CPU optimization features to get around security measures that prohibit separate programmes from accessing one other's memory space. This enabled attackers to steal sensitive information across several websites by attacking how different applications and processes interact with processors and on-chip memory, allowing a wide range of attacks against different types of applications, including web apps. 

Strict Site Isolation was implemented by Google Chrome, which prohibits several web pages from sharing the same process. It also divided each process's address space into separate 32-bit sandboxes (despite being a 64-bit application). 

Site Isolation is a Chrome security feature that provides extra protection against some sorts of security vulnerabilities. It makes it more difficult for websites that aren't trustworthy to get access to or steal information from your accounts on other websites.

Despite these safeguards, Spook.js, according to researchers from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University, "shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks." 

“More specifically, we show that Chrome’s Strict Site Isolation implementation consolidates webpages based on their eTLD+1 domain, allowing an attacker-controlled page to extract sensitive information from pages on other subdomains,” they said. "Next, we also show how to bypass Chrome’s 32-bit sandboxing mechanism. We achieve this by using a type confusion attack, which temporarily forces Chrome’s JavaScript engine to operate on an object of the wrong type."

“Web developers can immediately separate untrusted, user-supplied JavaScript code from all other content for their website, hosting all user-supplied JavaScript code at a domain that has a different eTLD+1," the study recommended. “This way, Strict Site Isolation will not consolidate attacker-supplied code with potentially sensitive data into the same process, putting the data out of reach even for Spook.js as it cannot cross process boundaries."

This NPM Package with Millions of Weekly Downloads Patched a RCE Flaw

 

A critical remote code execution (RCE) flaw has been fixed in the popular NPM package "pac-resolver." 

Developer Tim Perry discovered the vulnerability in the pac-resolver dependency, which could have enabled an attacker on a local network to launch malicious code within a Node.js process whenever an operator tried to submit an HTTP request. Node.js is the prominent JavaScript runtime for running web applications written in JavaScript. 

"This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy autodetection & configuration in Node.js," explains Perry. 

According to Perry, PAC, or "Proxy-Auto Config," refers to PAC files written in JavaScript that disseminate sophisticated proxy rules that direct an HTTP client which proxy to use for a particular hostname. They're delivered insecurely through HTTP rather than HTTPs from local network servers and distant servers. 

Proxy-Agent is utilised in the Amazon Web Services Cloud Development Kit (CDK), the Mailgun SDK, and Google's Firebase CLI, thus it's a widespread issue. 

As stated by Perry, the package receives three million downloads each week and has 285,000 public dependent repos on GitHub. 

The vulnerability was recently addressed in all of those packages' v5.0.0 versions and was assigned the CVE-2021-23406 designation when it was identified last week. As a result, it implies that many Node.js developers will have to update to version 5.0.

Anyone that use pac-resolver versions prior to 5.0.0 is significantly impacted by the issue, and also if developers have used any of the following three settings: 
  • Explicitly use PAC files for proxy configuration 
  • Read and use the operating system proxy configuration in Node.js, on systems with WPAD enabled 
  • Use proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from any other source that you wouldn't 100% trust to freely run code on your computer.
Perry added, "In any of those cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration."

FIN7 Hackers Using 'Windows 11 Alpha' Themed Malicious Documents to Drop JavaScript Backdoor



In a recent wave of the spear-phishing campaign, the FIN7 cybercrime group employed Windows 11 Alpha-themed weaponized word documents to deliver a JavaScript payload with a JavaScript backdoor. 

'Phishing Email Campaign' is the initial attack vector, posing as 'Windows 11 Alpha', it contains an infected Microsoft Word document (.doc). The virus is accompanied by this image which convinces a user to click on 'Enable Editing' and further advance towards the installation process. Once the user enables the content, the VBA macro that is contained in the image begins to come into effect. 

VBA macro is populated with junk data such as comments, it is a common strategy employed by criminals to impede analysis. Once the junk data is being pulled out, all we would be left with is a 'VBA macro'. Upon further analyzing the JavaScript, researchers learned that it contained obfuscated strings along with a deobfuscation function. 

Researchers have found that the threat actors behind the malicious campaign – upon detecting languages of certain countries including Russia, Slovenia, Serbia, Estonia, and Ukraine – call into action the 'me2XKr' function to delete all the tables and then stops running. They do so in order to prevent execution in the aforementioned countries. 

Primarily targeting the U.S.-based telecommunications, education, retail, finance, and hospitality sectors via meticulously crafted attacks, FIN7 has managed to stay ahead of law enforcement by employing novel and advanced techniques to thwart detection from time and again. The threat group, also identified by some as "Carbanak Group", has increasingly diversified its monetization tactics which allowed the gang to widen the impact of their compromise. As a result, the group acquired a competitive advantage and has targeted a wide range of industries. Although FIN7 is characterized by its mass payment card data theft, the ambitions of the threat group are not limited to the theft of payment card data. In scenarios where end-to-end encryption (E2EE) prevented the attackers to obtain card data, they turned to attack the finance departments of the targeted organizations. 

In an analysis dated 02 September 2021, Anomali Threat Research said, "The specified targeting of the Clearmind domain fits well with FIN7's preferred modus operandi." "The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018."

Critical Flaws in NPM Package Patched by Node.js Developers

 

Node.js maintainers have launched a major update to the npm package "tar" (aka node-tar) that resolves five critical safety flaws, including some that possess a remote code execution threat. 

The npm package was vulnerable to arbitrary File Creation/Overwrite vulnerability due to insufficient relative path sanitization. The npm package presents itself as a module that accepts JavaScript proxy configuration files and creates a function for the user’s app to locate certain domains. 

The first three flaws tracked as CVE-2021-37712, CVE-2021-37701, and CVE-2021-37701 fall into the high-risk category while the other two flaws were categorized as being of moderate risk. 

“Path integrity controls built into the technology came unstuck when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems”, as explained in a National Vulnerability Database (NVD).

“The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite,” it added. 

These five security flaws seriously impact those who use npm package versions prior to 5.0.0, even transitively in their Node.js application, and: 

• Explicitly use PAC files for proxy configuration or 
• Read and use the operating system proxy configuration in Node.js on systems with WPAD enabled or • Use proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from an untrusted source 

“If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the file system, but _not_ from the internal directory cache, as it would not be treated as a cache hit,” researchers explained. 

Node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. The CVE-2021-37712 vulnerability violates this control, thus creating a risk from malformed tar archives similar to the CVE-2021-37701 vulnerability.

Node.js Pushes Out Immediate Fixes for the Severe HTTP Bug

 

Node.js has released patches for a high-severity vulnerability that could be used by attackers to corrupt the process and cause unexpected behaviour including application crashes and possibly remote code execution (RCE). The CVE-2021-22930 use-after-free vulnerability affects the way HTTP2 streams are handled in the language. 

Node.js is a back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside of a browser. Node.js allows developers to utilise JavaScript to create command-line tools and server-side scripting, which involves running scripts on the server before sending the page to the user's browser. This week, Node.js released patches for CVE-2021-22930, a high-severity use-after-free vulnerability. 

When a programme tries to access a resource at a memory address that has already been freed and no longer holds the resource, it is called a use-after-free vulnerability. In some situations, this might result in data corruption, unexpected behaviours including programme crashes, or even remote code execution (RCE). The changes were included in the most recent Node.js release 16.6.0, as well as versions 12.22.4 (LTS) and 14.17.4. (LTS). This flaw was discovered by Eran Levin, who is credited with reporting it. 

"We normally like to give advance notice and provide releases in which the only changes are security fixes, but since this vulnerability was already public we felt it was more important to get this fix out fast in releases that were already planned," announced Red Hat principal software engineer and NodeJS Technical Steering Committee (TSC) member Daniel Bevenius. 

When Node.js read incoming RST_STREAM frames with no error code or cancel code, the vulnerability was exploited. In HTTP/2 applications, the RST_STREAM frame is issued by the host when it wants to close a connection. In a client-server architecture, for example, a client programme would send a RST_STREAM frame to the server to terminate the connection. When the server receives the frame, it will stop replying to the client and terminate the connection. The server might then discard any "DATA" frames it was about to send to the client.

When a RST_STREAM frame was received by the server with a "cancel" code (nghttp2_cancel) in vulnerable Node.js versions, the receiver would try to "force purge" any data received. After that, an automatic call-back would perform the "close" function a second time, aiming to free up the memory that had already been freed in the previous phase. 

And, as a result of the double-free error, the application might crash or behave erratically. On June 8th, 2021, Matthew Douglass posted a public thread about this issue, which was previously considered of as a "bug" rather than an exploitable vulnerability.

Researchers Found Three New Malware Strains in a Phishing Campaign

 

A global phishing program used never-before-seen malware strains distributed by specially-tailored lures to attack global organizations across a broad range of industries. According to a Mandiant report released today, the attacks targeted at least 50 organizations from a diverse range of sectors in two waves, on December 2nd and between December 11th and 18th. 

UNC2529 is the name of the threat actors behind the malware, who are identified as "experienced and well-resourced." Organizations in the United States, the EMEA zone, Asia, and Australia have been attacked in two waves so far. 

Threat actors would also pose as account executives touting services suitable for various industries, such as security, medication, transportation, the military, and electronics, in phishing messages sent to prospective victims. 

The global phishing scheme was controlled by over 50 domains in total. UNC2529 hacked a domain owned by a US heating and cooling services company, tampered with its DNS data, and used this structure to conduct phishing attacks against at least 22 entities in one successful attack. The lure emails included links to URLs that led to malicious.PDF payloads and a JavaScript file stored in a.zip folder. The records, which were obtained from public databases, were compromised to the point that they were unreadable, prompting victims to double-click the.js file in an effort to read the content. 

"The threat actor made extensive use of obfuscation and file-less malware to complicate detection to deliver a well-coded and extensible backdoor," Mandiant said. 

The threat group used phishing emails with links to a JavaScript-based downloader (labeled DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (labeled DOUBLEDROP) from attackers' command-and-control (C2) servers during the two waves of attacks. The DOUBLEDROP dropper includes 32-bit and 64-bit versions of the DOUBLEBACK backdoor, which is implemented as a PE dynamic library. 

"The backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its [command-and-control] C2 server and dispatching them," Mandiant notes. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines."