Search This Blog

Showing posts with label Mallicious URLs. Show all posts

Safeguarding Android Users From Zero-Day Attacks

 

The term "zero-day" refers to newly found security flaws that hackers can exploit to attack systems. It refers to the fact that the vendor or developer only recently discovered the fault, leaving them with "zero days" to repair it. A zero-day attack is when a zero-day exploit is used to harm or steal data from a system that has been exposed to a vulnerability.

Google's Threat Analysis Group (TAG) is always on the lookout for zero-day exploits. In 2021, it revealed nine zero-day exploits impacting Chrome, Android, Apple, and Microsoft, resulting in updates to safeguard consumers. Google believes that these attacks were bundled by a single commercial monitoring firm called Cytrox.

Cytrox is a North Macedonian firm with offices in Israel and Hungary that was exposed in late 2021 as the creator and maintainer of the spyware "Predator". 

According to new Google research, Cytrox offers new exploits to government-backed actors, who subsequently deploy them in three separate attack campaigns. Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are among the actors who purchased Cytrox services. 

The hackers take advantage of the time differential between when some significant problems were patched but not identified as security issues and when these fixes were fully propagated across the Android ecosystem, using 0-day exploits alongside n-day exploits. 

These findings highlight the extent to which commercial surveillance vendors have proliferated capabilities that were previously solely available to governments with the technical know-how to build and deploy exploits. TAG is actively tracking more than 30 vendors providing exploits or surveillance capabilities to government-backed entities, with different levels of sophistication and public exposure.

The three initiatives were all emailed to targeted Android users with one-time URLs that looked like URL shortener services. The campaign was small - researchers estimate that the number of users targeted in each case was in the tens of thousands. When the link was clicked, the target was sent to an attacker-controlled domain that provided the bugs before redirecting the browser to a legitimate website. The user was forwarded to a valid website if the link was not active. These ads are believed to be transmitted by ALIEN, a simple Android malware capable of loading PREDATOR, an Android implant first reported by CitizenLab in December 2021. 

  • Campaign 1 – Chrome redirection to SBrowser (CVE-2021-38000): In August 2021, the first campaign was discovered using Chrome on a Samsung Galaxy S21, and the webserver immediately responded with an HTTP redirect (302) pointing to the following intended URL. This URL took use of a logic issue in Chrome to force the Samsung Browser to load another URL without user intervention or warnings. 
  • Campaign 2 – Chrome sandbox escape: TAG discovered a campaign in September 2021, in which the exploit chain was sent to a fully updated Samsung Galaxy S10 running Chrome. The exploit that was utilized to get out of the Chrome Sandbox was retrieved, but not the original RCE exploit. The libchrome-embedded sandbox escape was loaded directly as an ELF binary. Libmojo bridge is also custom. The exploit was found to have two separate vulnerabilities in Chrome that are given below: 
  1. CVE-2021-37973: In the handling of Portals API and Fenced subframes, there is a use-after-free vulnerability. 
  2. CVE-2021-37976: A memory instrumentation. mojom. Coordinator information leak allows privileged programs to obtain Global Memory Dumps. These dumps contain sensitive data (addresses) that can be utilized to circumvent ASLR. After escaping the sandbox, the vulnerability downloaded another exploit to raise privileges and install the implant in /data/data/com.android.chrome/p.so. 
  • Campaign 3 – Android 0-day exploit chain in its entirety (CVE-2021-38003, CVE-2021-1048): A full chain exploits on an up-to-date Samsung phone running the newest version of Chrome in October 2021. Two zero-day exploits were included in the chain: CVE-2021-38003, a JSON renderer 0-day vulnerability. The whole value is leaked, allowing the attacker to totally exploit the renderer. The sandbox escape relied on a Linux kernel fault in the epoll() system call. The attacker can use this system call to escape the BPF sandbox and compromise the system by injecting code into privileged processes. 
Google hasn't been able to locate a copy of the exploit and will continue to keep the community informed as they learn more about these campaigns. To combat these issues, a robust, comprehensive approach will be required, involving collaboration between threat intelligence teams, network defenders, university researchers, and technology platforms.

Emotet is Evolving with Different Delivery Methods

 

Emotet is a well-known botnet and trojan which distributes follow-on malware via Windows platforms.  After a 10-month pause amid a coordinated law enforcement operation to take down its assault infrastructure, Emotet, the work of a cybercrime organization known as TA542 (formerly known as Mummy Spider or Gold Crestwood), marked its comeback late last year. 

Since then, Emotet campaigns have sent tens of thousands of messages to thousands of clients across many geographic regions, with message volumes exceeding one million in some situations. The threat actor behind the popular Emotet botnet is experimenting with new attack methods on a small scale before incorporating them into larger-scale spam campaigns, possibly in response to Microsoft's decision to deactivate Visual Basic for Applications (VBA) macros by default across all of its products.

According to analysts, the malicious actors behind Emotet, TA542, are experimenting with new approaches on a micro level before deploying them on a larger scale. The current wave of attacks is claimed to have occurred between April 4 and April 19, 2022, when prior large-scale Emotet campaigns were halted. 

Researchers from Proofpoint discovered numerous distinguishing characteristics in the campaign, including the usage of OneDrive URLs rather than Emotet's traditional dependence on Microsoft Office attachments or URLs connecting to Office files. Instead of Emotet's previous use of Microsoft Excel or Word documents with VBA or XL4 macros, the campaign employed XLL files, which are a sort of dynamic link library (DLL) file designed to expand the capability of Excel.

Alternatively, these additional TTPs could mean the TA542 is now conducting more targeted and limited-scale attacks in addition to the traditional mass-scale email operations. The lack of macro-enabled Microsoft Excel or Word document attachments is a notable departure from prior Emotet attacks, implying the threat actor is abandoning the tactic to avoid Microsoft's intentions to disable VBA macros by default beginning April 2022. 

The development came after the virus writers addressed an issue last week which prevented potential victims from being compromised when they opened weaponized email attachments.

Telegram Abused By Raccoon Stealer

 

As per a post released by Avast Threat Labs this week, Raccoon Stealer, which was first identified in April 2019, has added the capacity to keep and update its own genuine C2 addresses on Telegram's infrastructure. According to researchers, this provides them with a "convenient and trustworthy" command center on the network which they can alter on the fly. 

The malware, which is thought to have been built and maintained by Russian-linked cybercriminals, is primarily a credential stealer, but it is also capable of a variety of other nefarious activities. Based on commands from its C2, it can collect not just passwords but also cookies, saved logins and input data from browsers, login credentials from email services and messengers, crypto wallet files, data from browser plug-ins and extensions, and arbitrary files. 

As per the reports, Buer Loader and GCleaner were used to distribute Raccoon. Experts suspect it is also being distributed in the guise of false game cheats, patches for cracked software (including Fortnite, Valorant, and NBA2K22 hacks and mods), or other applications, based on some samples. 

Given since Raccoon Stealer is for sale, the only limit to its distribution methods is the imagination of the end-users. Some samples are spread unpacked, while others are protected by malware packers like Themida. It is worth mentioning whether certain samples were packed by the same packer five times in a row.

Within Telegram, the newest version of Raccoon Stealer talks with C2: According to the post, there are four "crucial" parameters for its C2 communication which are hardcoded in every Raccoon Stealer sample. Details are as follows:
  • MAIN KEY, which has changed four times throughout the year;
  • Telegram gate URLs with channel names; 
  • BotID, a hexadecimal string that is always sent to the C2; 
  • TELEGRAM KEY, a decryption key for the Telegram Gate C2 address. 

The malware decrypts MAIN KEY, which it uses to decrypt Telegram gates URLs and BotID, before hijacking Telegram for its C2. According to Martyanov, the stealer then utilizes the Telegram gate to connect to its real C2 via a series of inquiries to eventually allow it to save and change actual C2 addresses utilizing the Telegram infrastructure. 

The stealer can also transmit malware by downloading and executing arbitrary files in response to an instruction from C2. Raccoon Stealer spread roughly 185 files totaling 265 megabytes, including downloaders, clipboard crypto stealers, and the WhiteBlackCrypt ransomware, according to Avast Threat Labs.

2,77,000 Routers Vulnerable to 'Eternal Silence' Assaults via UPnP

 

'Eternal Silence,' a malicious campaign, is exploiting Universal Plug and Play (UPnP), which switches the router into a proxy server used to execute nefarious assaults while obscuring the threat actors' location. 

UPnP is a connection protocol that enables additional devices on a network to establish port forwarding rules on a router automatically and is optionally available in most modern routers. This allows remote devices to use a certain software function or device as needed, with minimal user configuration. 

However, it is another technology that compromises security for convenience, particularly when the UPnP implementation is subject to attacks that enable remote attackers to add UPnP port-forwarding entries over a device's exposed WAN connection. 

Akamai researchers discovered attackers exploiting this flaw to build proxies that conceal their harmful operations and termed the attack UPnProxy. 

277,000 of the 3,500,000 UPnP routers detected online are vulnerable to UPnProxy, with 45,113 already infected by hackers. 

Analysts at Akamai believe the perpetrators are attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, respectively. 

Exploiting these holes can result in a variety of issues, such as resource-intensive cryptominer infections, destructive worm-like attacks that quickly spread across entire corporate networks, or gaining initial access to corporate networks. 

The hackers' new rulesets include the phrase 'galleta silenciosa,' which means 'silent cookie'. 

The injections try to expose TCP ports 139 and 445 on devices connected to the targeted router, which totals around 1,700,000 machines that use SMB services. 

Although Akamai is unaware of the campaign's success rate, it did notice a methodical approach to the scans, focusing on devices that use static ports and routes for their UPnP daemons to inject port forwards.  

The perpetrators may be attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, according to Akamai's experts. 

"Because there is a decent possibility that (vulnerable) machines unaffected by the first round of EternalBlue and EternalRed attacks were safe only because they weren't exposed directly to the internet. They were in a relatively safe harbor living behind the NAT," explains Akamai's report 

"The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits." 

'Eternal Silence' is a clever attack since it makes the practice of network segmentation ineffective and provides no sign of what is happening to the victim. 

Scanning all endpoints and auditing the NAT table entries is the best technique to see if the devices have been captured. There are a variety of ways to achieve this, but Akamai has made it simple by providing a bash script that can be used to test a potentially vulnerable URL. 

Disabling UPnP won't erase existing NAT injections if someone found a device infected with Eternal Silence. Users will have to reset or flash the device instead. 

Applying the most recent firmware update should also be a priority, since the device vendor may have resolved any UPnP implementation problems via the system update.

Threat Actors are Abusing Glitch Platforms

 

Phishing hackers have turned their attention to the Glitch platform. It appears that cybercriminals are aggressively abusing the service to use it to host free phishing sites that steal passwords. Employees of large corporations and firms that collaborate with the Middle East are among those targeted. 

A report on this issue was published by DomainTools researchers; the phishing campaign, according to which, began in July 2021 and is currently ongoing. 

The threat actors work in the following manner:

• They send e-mail messages with PDF-based attachments that contain no harmful code to bypass antivirus alarms; 
• Instead, a particular link may be located in these PDFs and this link directs to a malicious website hosted on the Glitch platform; 
• In a total of 70 PDFs, researchers discovered several of these categories. 
•The particularities about these PDFs were the unique URL and the e-mail correlated with each of them. All these links are related to different “red.htm” pages hosted by Glitch. 

Glitch stands basically for a cloud-based hosting service. To deploy apps and websites, people can utilize Node.js, React, or a variety of dev platforms. In the context of a weak point, BleepingComputer pointed out, the Glitch platform's free edition, which allows users to create an app or a page, appears to be vulnerable to phishing attacks. They can also make it accessible for 5 minutes on the web. After the 5 minutes have passed, the user needs to manually enable this. 

Some aspects, such as the fact that Glitch's domains are considered favorably by security systems owing to the platform's legitimacy and the free version that is a path for threat actors to host their short-lived malicious URLs, constitute the perfect combination for threat actors.

Furthering the investigation, the researchers discovered a Glitch website linked to a commercial malware sandbox service. It contained a screenshot of a phishing login page of Microsoft SharePoint. 

Following the finding of the PDF that directed the researchers to that website, other HTLM documents associated with that sample were identified once it was submitted to Virus Total. After the pages were withdrawn, obfuscated JavaScript was discovered. These code pieces passed through the malicious Worpress sites and were then exploited to steal passwords. The researchers alerted Glitch about the situation, but no response has yet been received from the firm.

This New Tool Helps in Detecting Vulnerable Chrome Extensions

 

The researchers from CISPA Helmholtz Center for Information Security in Germany have built tools to assist in identifying Chrome extensions that are vulnerable to exploitation by malicious web pages and other extensions. 

Google revealed plans to revamp its browser extension platform in 2018 in order to make it more safe. Chrome extensions had vast rights under its prior platform regulations, known as Manifest v2, which could be easily abused. Many crooks have taken use of these powers. Google, for example, eliminated over 500 harmful extensions in February 2020. That was a month after Google barred new extensions from its Chrome Web Store in order to combat payment fraud. 

Along with its attempts to tidy up the Chrome Web Store, Google has been working on Manifest v3, a redesigned set of extension APIs that offer less features, at the cost of content blocking and privacy tools, but with reduced security and privacy risks. In January 2021, Google began accepting Manifest v3 extensions for evaluation. However, its most recent extensions are not without flaws, and earlier Manifest v2 extensions still continue to circulate.

CISPA Helmholtz boffins Aurore Fass, Dolière Francis Somé, Michael Backes, and Ben Stock took it upon themselves to create a tool termed DoubleX to assist in coping with the problem. They highlight their research in the paper termed "DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale," which is published in the Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, which will be held next week in South Korea. 

They stated that malicious extensions are only a small part of the extensions that cause security and privacy issues. Furthermore, benign extensions may include vulnerable code that may be abused by other extensions installed by the user. DoubleX is on the lookout for extensions that aren't harmful but can be exploited. 

DoubleX is a open-source static analyzer that detects potentially dangerous data flows. In other words, it doesn't simply hunt for malicious extensions; it also looks for exploitable data pathways. 

 How might these flaws be exploited?

According to the researchers, the presence of an eval function indicates that an attacker might possibly exploit the permissions of the vulnerable extension. When DoubleX was fed a considerable number of Chrome apps, it did discover some issues, but they were comparatively less. 

The paper stated, "We analyzed 154,484 Chrome extensions, 278 of which we flagged as having externally controllable data flows or exfiltrating sensitive user information. For those, we could verify that 89 per cent of the data flows can be influenced by an attacker, which highlights DoubleX precision." 

"In addition, we detected 184 extensions (with 209 vulnerabilities) that are exploitable under our threat model, leading to, e.g., arbitrary code execution in any website." 

Around 2.4 million to 2.9 million people are affected by these 184 extensions, with 172 vulnerable to a web attacker and 12 vulnerable through another unprivileged extension. The researchers claim they duly notified their results to developers if they could discover contact information, and to Google in other cases, from October 2020 to May 2021. According to them, 45 of the 48 vulnerable extensions discovered were still available in the Chrome Web Store as of July 2021. 

The paper stated, "Of those, 13 have been updated since our disclosure, but only five have been fixed (300k+ users, 50k+ users, 3k+ users, 2k+ users, and 35 users)."