Search This Blog
Load More
Trendy Right Now

Popular Posts

Showing posts with label PDF Exploits. Show all posts
Vulnerabilities and Exploits.
Adobe Photoshop Data Privacy Google Drive PDF Exploits User Privacy Vulnerabilities and Exploits.

Cropping Apps Can Expose Photos Online

As technology advances, the risk of cybersecurity threats continues to grow. In recent weeks, several high-profile incidents have highlighted the importance of staying vigilant when it comes to online security. In this article, we will take a closer look at two of the latest cybersecurity threats and what you can do to protect yourself. 

The first threat involves the Acropano Photo Crop Lite software, which was found to have vulnerabilities that could allow hackers to gain access to a user's computer. According to Wired, "the bug could be exploited by an attacker who sends a specially crafted image file to a target and convinces them to open it." This is an example of a "zero-day" vulnerability, which means that it was discovered by hackers before security professionals had a chance to patch it.

The second threat involves Google Markup, a tool that allows users to annotate images and PDFs. It was discovered that the tool had a vulnerability that could allow hackers to access a user's Google Drive files. Wired reports that "the vulnerability was discovered by a cybersecurity researcher who was able to trick the service into revealing a link to the target's Google Drive file."

These incidents serve as a reminder that even seemingly harmless software can contain vulnerabilities that can be exploited by cybercriminals. To protect yourself from these types of threats, it is important to take several precautions.

First, it's important to keep your software up-to-date. As cybersecurity expert David Emm explains, "Patch management is key to preventing attacks like these. Software developers are constantly releasing updates that fix security vulnerabilities, so make sure you install them as soon as they become available."

Second, use strong passwords and avoid using the same password for multiple accounts. "Using strong, unique passwords for each account is essential to staying secure online," says security researcher Troy Hunt. "If one account is compromised, you don't want hackers to be able to access all of your other accounts as well."

Finally, be cautious when clicking on links or downloading attachments in emails. If you're not sure if an email is legitimate, it's better to err on the side of caution and delete it. Threats to cybersecurity are evolving and multiplying. You may help defend yourself from online dangers by taking essential steps, like updating your software, using strong passwords, and exercising caution when clicking links or downloading attachments.


Read more »
User Privacy
Data Breach Game Hacking IT Systems PDF Exploits Ransomware Attacks. Source Code leak User Privacy

Riot Games Hit by Data Breach

Riot Games reported last week that a social engineering attempt had infiltrated the systems in their software platform. Motherboard got the ransom note that was sent to Riot Games and reported that hackers demanded $10 million in exchange for keeping the stolen source code a secret and erasing it from their servers.

The LoL and TFT teams are investigating how to cheat developers who might exploit the data that was obtained to create new tools and evaluating whether any fixes are necessary to resist such nefarious attempts. According to the game creator, the game source code obtained during the security breach also includes certain unreleased features that might not make it to the release stage.

Hackers gave Riot Games two sizable PDFs as proof, claiming that they would demonstrate their access to Packman and the League of Legends source code. These files were also obtained by Motherboard, and they seem to display directories connected to the game's code. According to the ransom message, the hackers threatened to remove the code from their servers in exchange for payment and give insight into how the intrusion occurred and offer guidance on preventing future breaches.

The hackers indicated Riot Games could contact them through a Telegram chat, and they provided a link to that chat in the post. The motherboard has joined this channel. Its members contained usernames that corresponded to the names of Riot Games personnel.

No player or user information was taken during the attempt, as per Riot, but the company warned that it would take some time to adequately protect the systems and that patches might be delayed. The breach is the subject of an investigation by Riot Games. It appears that the attacker did not utilize ransomware but instead concentrated on stealing source code so they could demand money from the business.
Read more »
Windows
C2C Cyber Security DLL PDF Exploits PowerShell SEO Windows

The Wizard of Deception: Jupyter Infostealer

 

Researchers recently discovered a new variant of SolarMarker, a malware family which is mostly transmitted using SEO manipulation to persuade people into downloading malicious documents. SolarMarker uses defense evasion to extract auto-fill data, saved passwords, and stored credit card information from victims' web browsers. It offers extra features which are unusual to be seen in info stealers, such as file transfer and command execution from a C2 server.

Jupyter packaged itself with legal executables when it was first detected towards the end of 2020. When it was run, it revealed a PowerShell script that had been obfuscated. The threat group is improving layers of stealth and obfuscation, such as loading the Jupyter Dynamic-Link Library (.DLL) into memory rather than writing the file to disk. Now, it is frequently packaged in massive Windows® installer packages (.MSI) which can reach 100 MB in size. 

To further conceal its motives, these packages are still integrated with legitimate software and signed with valid digital certificates. The installer will load and seek to install the bundled genuine application after installation. However, buried deep within the Trojan installer's code is a small, extensively obfuscated, and encrypted PowerShell script which runs in the background. 

Jupyter has masked itself as a variety of programs and installers. The malware's main file extension has been changed to.MSI, and it executes its obfuscated PowerShell script via several techniques. Jupyter is usually hosted on phony downloading websites which pose as real hosts. These websites typically offer a free PDF book. These can be accessed accidently by a victim or via a link in a spam email. 

It is often packaged with freeware software and certified with unrevoked digital certificates, making the installation appear more authentic. When the Windows installer package is loaded, it will present an installer pop-up for the targeted legitimate application, while loading data and running in the background. 

Jupyter has deployed itself in a variety of ways in the past campaign. The malware usually has two primary files: 
  • An executable and a Windows PowerShell script that contains the harmful code.
  • Some Jupyter variants have also dumped a temporary file (.TMP) into the victim’s %AppData%\Roaming\Temp\ directory, to construct the normal content of Jupyter's main malicious PowerShell script. 

PowerShell is used by the virus to conceal and execute its harmful code without ever publishing itself to disk on the victim's PC. It avoids writing to disk by loading Jupyter's DLL into memory reflectively. DLLs are usually injected into a process from a file written to a disk. 

Reflective DLL injection is a technique for injecting code into a victim process directly from memory rather than from disk. Because the fully un-obfuscated malware does not live on disk, it necessitates the creation of a persistence mechanism, such as registry keys that reload the malware when the victim machine boots up. As a result, Jupyter DLL is difficult to both identify and use. 

Jupyter's basic PowerShell may be split down into six different phases or components. Each phase aids in the achievement of a given objective, function, or capability. Though many Jupyter samples follow the same procedures, differences in Jupyter's PowerShell code exist, and certain samples have been observed to work in slightly different methods to achieve the same goals. 

One can make a modest tweak to the attacker's PowerShell script to save the assembly to disk instead of loading it into memory. This will also assist us in comprehending the operation of this version of SolarMarker. One can see the decompiled code, as well as the names of the classes and functions, are incorrect. Instead, they appear to be obfuscated. 

The SolarMarker backdoor is a.NET C2 client which uses an encrypted channel to interact with the C2 server. HTTP is used for communication, with POST requests being the most common. The data is secured with RSA encryption and symmetric encryption using the Advanced Encryption Standard (AES). Internal reconnaissance is carried out by the client, who gathers basic information about the victim's system and exfiltrates it through an existing C2 channel. The infostealer module has a structure that is quite identical to the backdoor module we discussed earlier, but it has more features.

By reading files relevant to the target browser, the SolarMarker infostealer module obtains login data, cookies, and web data (auto-fill) from web browsers. To decrypt the credentials, SolarMarker uses the API method CryptUnprotectData (DPAPI). 

The usefulness of behavior-based detectors in reducing the stay time of threats inside a network has been recognized by the security industry in recent years. 
Read more »
PDF Exploits
Google Chrome PDF Exploits

Security experts exploit Google Chrome Zero-day using malicious PDF



Security researchers have found a new malicious PDF  that could be easily exploited by the Google Chrome zero-day flaw when victims using Chrome as a local PDF viewer.

Attackers are exploiting the Chrome zero-day vulnerability to track the users and collect the personal information of the users when they open this malicious PDF in chrome browser.

The security experts at EdgeSpot were the first one to spot a flaw in PDF when it is opened via Chrome browser locally, but it has no malicious activities when it opened popular Adobe Reader.

The engine detected as  “POTENTIAL ZERO-DAY ATTACK (Google Chrome), PERSONAL INFORMATION LEAKAGE.

The researchers at Edgespot found that HTTP packet is collecting information of the user by the malicious sender:


  • The public IP address of the user.
  • OS, Chrome version etc (in HTTP POST header).
  • The full path of the PDF file on a user’s computer (in HTTP POST payload).


The users are suggested to use alternative PDF reader application for viewing the PDF until the Chrome issue is fixed, or you can switch off the internet while using Chrome to view PDF documents. 
Read more »
PDF Exploits
Exploits Malware Report PDF Exploits

CVE-2009-0927 : PDF Exploit targets Aviation Defense Industry

PDF exploits

Security Researcher have come across a Spam email that leads to a malware page which delivers the PDF exploit(CVE-2009-0927).    The campaign seems to be targeting the aviation defense Industry.

About CVE-2009-0927:
A stack-based buffer overflow vulnerability in the Adobe Reader and Adobe Acrobat before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object "Collab.getIcon()".
If the recipient open the malicious PDF file, it opens a fake document and displays an invitation to an actual defense industry event. In the background, it exploits the PDF vulnerability.

If the victim's machine has the vulnerable version , then shellcode inside the pdf will start to execute.  The shellcode creates a file and run "evtmgr.exe in the Temp folder .

The exe file drops another dll file called mssrt726.dll which performs network communication and opens the backdoor at TCP port 49163.



Read more »
Subscribe to: Posts (Atom)