Search This Blog

Showing posts with label URL. Show all posts

Microsoft Teams: Bugs Use GIFs to Construct Reverse Shells

Malicious hackers can utilize Microsoft Teams to launch innovative phishing attacks and discreetly carry out commands to steal data via GIFs using a new attack method known as "GIFShell."

The new attack pattern demonstrates how hackers can merge various Microsoft Teams flaws and security holes to reap the benefits of reliable Microsoft infrastructure and distribute malicious files, and orders, and perform data exfiltration via GIFs.

This attack chain can be highly destructive, especially in network security environments where Microsoft Teams may be one of a limited set of authorized, trusted hosts and apps, as per Raunch. The GIFShell stager can be persuasively dropped and implemented on the victim's computer by exploiting two additional vulnerabilities found in Microsoft Teams, including a lack of permission enforcement and attachment spoofing.

Bobby Rauch, a cybersecurity expert, and pentester revealed multiple holes in Microsoft Teams that may be chained together for code execution, data theft, cybersecurity bypasses, and phishing attacks. This led Rauch to the discovery of the new attack chain.

This attack's primary tool is referred to as "GIFShell," and it enables an attacker to build a reverse shell that sends malicious commands via base64-encoded GIFs in Teams and exfiltrates the output using GIFs recovered by Microsoft's own servers.

GIFShell Attack

Since the data exfiltration takes place through Microsoft's own systems, security software that interprets the traffic as normal Microsoft Team activity will have a hard time identifying it.

The attacker must first persuade a user to install a malicious stager that runs commands and uploads command outputs via a GIF URL to a Microsoft Teams web hook to construct this reverse shell.

Rauch created a new phishing attack on Microsoft Teams to help with this. As we know, phishing assaults are effective at infecting devices.

The 'stager,' a malicious program that GIFShell uses to mislead users into launching on their devices, continuously scans the Microsoft Teams logs.

Any malware on the system can access these logs because they contain all received messages and are viewable by all Windows user groups.

Hackers would build their own Microsoft Teams tenant after installing the stager and get in touch with other Microsoft Teams users from outside their organization. Attackers can easily accomplish this since Microsoft Teams by default permits external communication.

Rauch's GIFShell Python script enables the hackers to transmit a message to a Microsoft Teams user that comprises a specially created GIF to start the attack. This GIF file was altered to add instructions to run on the target's computer.

The email and the GIF will be saved in Microsoft Team's logs when the victim receives them, which the malware stager watches.

The base64-encoded commands will be extracted by the stager and run on the device when it recognizes a message that contains a GIF. The output of the command will subsequently be converted to base64 text by the GIFShell PoC.

The hacker's open Microsoft Teams webhook is accessed by the stager using this base64 text as the filename for a remote GIF placed in a Microsoft Teams poll card.

To get the GIF, which would be named using the base64-encoded result of the executed command, Microsoft's servers will link back to the hacker's server URL when Microsoft Teams creates flashcards for the user.

This request will be received by the GIFShell server, which is installed on the hacker's server, and will instantly decode the filename so that the hackers can view the results of the command issued to the targeted device.

The Microsoft Teams files folder has also been discovered to be accessed by other software, including malware and commercial monitoring tools like Veriato.

In a report to BleepingComputer, Microsoft purely reaffirmed its claim to Rauch stating, "We evaluated the methods mentioned by this researcher and found that the two stated do not satisfy the requirements for an immediate security fix. To help maintain customer security, we're always exploring for new ways to better combat phishing, and we might do something in a future release to assist prevent this tactic."

Users should ensure ethical computing habits online, including vigilance when clicking on links to websites, opening unexpected files, or allowing file transfers. Users shall remain aware of this type of phishing.

 Google Chrome Flaw Enables Sites to Copy text to Clipboard

A flaw in the Google Chrome browser and other Chromium-based browsers could enable malicious websites to automatically rewrite the contents of the clipboard without asking the user's permission or requiring any user involvement.

Developer Jeff Johnson claims that the clipboard poisoning exploit was unintentionally added to Chrome version 104.  Web pages can also write to the system clipboard in Safari and Firefox, but both browsers have gesture-based security measures in place.

The flaw has been spotted by Chrome developers, but a patch has not yet been released, therefore it is still present in the most recent desktop and mobile versions of Chrome.

Security flaw

Operating systems have a temporary storage area called the system clipboard. It can contain sensitive information like passwords, banking account numbers, and cryptocurrency wallet strings and is frequently used for copying and pasting.

Users are at risk as they may end up being the targets of malware attacks if arbitrary content is written over this temporary storage space.

Users might be lured to visit websites that have been carefully built to look like reputable bitcoin services by hackers. The website might write the threat actor's address to the clipboard when the user attempts to make a payment and copy their wallet address to the clipboard.

On some websites, the user may be given the option to add more information to the clipboard when selecting text to copy from a website typically the page URL. However, in such cases, there is no obvious notification or user input before the clipboard overflows with random text.

All online browsers that support clipboard writing, have poor and insufficient security measures, according to a blog post on the subject.

When a user selects a piece of text and presses Control+C or chooses 'Copy' from the context menu, the web page is given permission to utilize the clipboard API.

Johnson explained, "Therefore, even a seemingly innocent action like clicking a link or using the arrow keys to scroll down the page allows the website to overwrite one's system clipboard." He conducted tests on Safari and Firefox and discovered that loading a web page allowed clipboard writing permission when the down arrow key was pressed or the mouse scroll wheel was used to navigate.

Fortunately, Johnson's testing showed that websites could not misuse this authorization to read clipboard contents, as it would be problematic for user privacy.

Phishing Scam Exploit's American Express, Snapchat Open-Redirect Threats

Phishing emails aimed at users of Google Workspace and Microsoft 365 have been sent as a result of open-redirect vulnerabilities affecting the American Express and Snapchat domains.

The term "open redirects" refers to a software vulnerability that makes it simpler for hackers to point users toward harmful resources they control.

Vulnerabilities :

Open redirect occurs when a website doesn't validate user input, allowing hackers to modify the URLs of domains with stellar reviews to route consumers to malicious sites. Because the initial domain name in the altered link is a well-known one, like American Express or Snapchat, victims will believe it.

The link may seem secure to an untrained eye because the first domain name in the modified link is actually the domain name of the original site. According to email security firm INKY, the trusted domain, such as American Express or Snapchat, serves as a temporary landing page before redirecting the user to a malicious website.

DocuSign, FedEx, and Microsoft were used as baits in phishing emails distributed to the Snapchat group, which led to sites that harvest user credentials. Researchers from Inky claim that 6,812 phishing emails sent from Google Workspace and Microsoft 365 hacked over the course of two and a half months used the Snapchat open redirect.

On August 4, 2021, professionals informed Snapchat of a vulnerability through the Open Bug Bounty site, but nothing has been done to fix it.

The matter was made worse by the discovery of the American Express open-redirect vulnerability in more than 2,000 phishing emails in only two days in July. The vulnerability has since been patched, as per the report, and any user who opens the link now is led to an error page on the company's legitimate website.

Prevention cautions

Roger Kay of INKY provided easy measures for preventing open redirect attacks:
  • Domain owners can undertake a few easy actions if they want to further reduce open redirect attacks. First, don't use redirection at all in your site architecture. Domain owners can, however, build an allowlist of permitted safe links to reduce open-redirect misuse if it's required for business reasons.
  • Additionally, domain owners have the option to display caution about external links before forwarding viewers to external websites.
  • Users should be on the lookout for URLs that include things like "url=," "redirect=," "external-link," or "proxy" as they explore websites online. These strings can suggest that a reputable domain might reroute traffic to another website.
  • Additionally, recipients of emails with links should look for repeated instances of "http" in the URL, another possible sign of redirection.

Attack Against NPM Software Supply Chain Unearthed

 

Iconburst's most recent attack is described as a massive and well-planned effort to spread malicious Javascript packages distributed through the open-source NPM package system.

Upon further analysis, evidence of a planned supply chain assault was found, with numerous NPM packages containing jQuery scripts created to steal data from deployed apps that use them, as per researchers.

ReversingLabs noted that the malicious packages we identified are probably used by hundreds or thousands of downstream mobile and desktop programs as well as websites, even if the full scope of this assault is still unknown. In one instance, malicious software had been downloaded more than 17,000 times.

Obfuscation used 

The firm said that its analysis of the modules had found signs of coordination, with malicious modules linked to a select group of NPM publishers and recurrent patterns in the infrastructure that supported them, such as unencrypted domains.

“The revelation of a javascript obfuscator was the first trigger for our team to examine a broad variety of NPM packages, the majority of which had been released within the previous two months and utilized the stated obfuscator. It revealed more than 20 NPM packages in total. When these NPM modules are examined in greater detail, it becomes clear that they are associated with one of a small number of NPM accounts with names like ionic-io, arpanrizki, kbrstore, and aselole,” according to ReversingLabs. 

Meanwhile, Checkmarx said, "Roughly a thousand unique user accounts released over 1200 NPM packages to the registry, which we found. Automation was used, which allowed for the successful completion of the NPM 2FA challenge. At this moment, this collection of packages appears to be a part of an attacker's testing." 

Obfuscated malware data theft 

The de-obfuscated examples underwent a thorough analysis, which showed that every one of them collects form data using jQuery Ajax methods and subsequently exploits that data to different domains controlled by malevolent writers.

To exfiltrate serialized form data to domains under the attacker's control, the malicious packages employ a modified script that extends the functionality of the jQuery ajax() function. The function verifies the URL content before transmitting the data to carry out target filtering checks. 

Attack on supply chain 

The NPM modules which ReversingLabs found have been downloaded more than 27,000 times in total. The attacks occurred for months before coming to attention because very few development firms can identify malicious software within open source libraries and modules.

"It is certain from the report of this study that software development businesses and their clients both require new tools and procedures for evaluating supply chain risks, such as those posed by these malicious NPM packages," researchers told.

"Applications and services are only as secure as their weakest component due to the decentralized and modular nature of application development. The attack's success—more than two dozen malicious modules were made available for download on a well-known package repository, and one of them received 17,000 downloads in just a few weeks—underscores the lax standards for application development and the low barriers that prevent malicious or even vulnerable code from exploiting IT environments and sensitive applications," ReversingLabs further added.

Phishing Emails Faking Voicemails aim to Steal Your Data

 

Vishing is the practice of sending phishing emails to victims that appear to be voicemail alerts to acquire their Microsoft 365 and Outlook login information. Researchers at Zscaler's ThreatLabz said this email campaign, which resembles phishing emails from a few years ago, was discovered in May and is still active. 

The researchers stated this month that the recent wave targets US organizations across various industries, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain. 

An email is where it all begins

Attackers inform recipients of missed voicemails via email notifications that contain links to web-based attachments. Although many people don't check voicemail, audio messages on LinkedIn and WhatsApp have been there for a while, so using them to deceive consumers into clicking a link in an email can be successful. 

Naturally, when the target clicks the link, they are taken to a credential phishing web page hosted on Japanese servers rather than a voicemail at all. The user gets directed to the Microsoft Office website or the Wikipedia page if the encoded email address at the end of the URL is missing.

The user is shown the final page, which is an Office 365 phishing page after they have correctly supplied the CAPTCHA information. The 2020 campaign Zscaler tracked using the same approach. 

"Since they can persuade the victims to open the email attachments, voicemail-themed phishing attacks continue to be an effective social engineering strategy for attackers. This, together with the use of evasion techniques to get around automatic URL inspection tools, aids the threat actor in acquiring the users' credentials more successfully "reports Zscaler ThreatLabz

Microsoft 365 Remains a Popular Victim 

In a 2022 Egress research titled "Fighting Phishing: The IT Leader's View," it was found that 40% of firms utilizing Microsoft 365 reported becoming victims of credential theft, and 85% of organizations using Microsoft 365 reported being victims of phishing in the previous 12 months. 

As the majority of businesses quickly transitioned to a primarily remote-work style, with many workers working from their homes, phishing usage continued to increase. It peaked during the peak of the COVID-19 pandemic in 2020 and 2021. 

A substantial majority of credentials have been successfully compromised by the effort, which can be utilized for a number of different cybercrime endgames. These consist of taking control of accounts to gain access to files and data theft to send malicious emails that appear to be from a legitimate organization, and implanting malware,. The goal is to trick victims into using the same passwords for several accounts by adding the user ID/password combinations to credential-stuffing lists. 

A rich mine of data that may be downloaded in bulk can usually be found in Microsoft 365 accounts, according to Robin Bell, CISO of Egress. Hackers may also use compromised Microsoft 365 accounts to send phishing emails to the victim's contacts in an effort to boost the success of their attacks.

To Mimic Microsoft, Phishing Employs Azure Static Web Pages

 

Microsoft Azure's Static Web Apps service is being exploited by phishing attacks to acquire Microsoft, Office 365, Outlook, and OneDrive passwords. Azure Static Web Apps is a Microsoft tool that allows to build and deploy full-stack web apps to Azure using code via GitHub or Azure DevOps.

MalwareHunterTeam, a security expert, uncovered the campaign. Attackers might imitate custom branding and website hosting services to install static landing phishing sites, according to the study. Users using Microsoft, Office 365, Outlook, and OneDrive services are being targeted by attackers who are actively mimicking Microsoft services. 

Several of the web pages and login pages in these phishing attempts are nearly identical to official Microsoft pages. Azure Static Web Apps is a program that uses a code repository to build and publish full-stack apps to Azure. 

Azure Static Apps has a process that is customized to a developer's everyday routine. Code changes are used to build and distribute apps. Azure works exclusively with GitHub or Azure DevOps to watch a branch of their choice when users establish an Azure Static Web Apps resource. A build is automatically done, and your app and API are published to Azure every time they post patches or allow codes into the watched branch. 

Targeting Microsoft users with the Azure Static Web App service is a great strategy. Because of the *.1.azurestaticapps.net wildcard TLS certificate, each landing page gets its own secure page padlock in the address bar. After seeing the certificate granted by Microsoft Azure TLS Issuing CA 05 to *.1.azurestaticapps.net, even the most skeptical targets will be fooled, certifying a fraud site as an official Microsoft login screen in the eyes of potential victims.

Due to the artificial veil of security supplied by the legitimate Microsoft TLS certs, such landing sites are also useful when targeting users of other platforms, such as Rackspace, AOL, Yahoo, or other email providers. 

When trying to figure out if one is being targeted by a phishing assault, the typical advice is to double-check the URL whenever we're asked to enter one's account credentials in a login. Unfortunately, phishing efforts that target Azure Static Web Apps render this advice nearly useless, since many users will be fooled by azurestaticapps.net subdomain and genuine TLS certificate.

The Hacking Group 'ModifiedElephant' Remained Undetected

 

SentinelLabs' IT security researchers have discovered information of growing cyber-attacks (APT) wherein the threat actors have been targeting human rights activists, free speech advocates, professors, and lawyers in India using readily available trojans via spear-phishing since 2012. The group known as ModifiedElephant has been found to be planting 'incriminating evidence' on the devices of its targets. 

"The goal for ModifiedElephant is long-term espionage which sometimes ends with the transmission of evidence – files that implicate the victim in criminal offenses – prior to conveniently synchronized arrests," stated Tom Hegel, a threat researcher at SentinelOne. According to the research, over the previous decade, ModifiedElephant hackers have been attacking their victims with spearphishing emails containing malicious file attachments, with their methods becoming more complex over time. 

Spearphishing is the technique of emailing victims that appear to come from a trustworthy source in order to either divulge sensitive information or install malware on their computers. ModifiedElephant usually uses infected Files to spread malware to its victims. The particular mechanism and content included in malicious files have varied over time, according to SentinelOne, the timeline has been given below: 
  • 2013 – An adversary sends malware via email attachments with phony double extensions (file.pdf.exe). 
  • 2015 – The group switches to encryption key RAR attachments including legitimate luring documents that hide malware execution signals. 
  • 2019 – Updated Elephant begins hosting malware-distribution sites and takes advantage of cloud hosting capabilities, transitioning from phony papers to malicious URLs.
  • 2020 – attackers circumvent identification by skipping scans by using big RAR files (300 MB).

The CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits, according to SentinelOne, were frequently utilized in luring documents, which attacked Microsoft Office Suite programs. 

Modified Elephant is not seen using any customized backdoors in its operational history, indicating the group isn't particularly sophisticated. NetWire and DarkComet, two publicly available remote access trojans extensively utilized by lower-tier hackers, were the principal malware used in the campaigns. 

ModifiedElephant's Visual Basic keylogger hasn't changed since 2012, and it's been open-source on hacking forums all that time. SentinelLabs remarks on the tool's history, pointing out that it no longer works on recent OS versions. The Android virus is likewise a commodity trojan that is distributed to users in order of an APK, luring them in by appearing like a news app or a secure messaging tool.

105 million Android Devices were Infected with 'Dark Herring' Invoice Malware


Dark Herring malware was identified by a Zimperium research team, the campaign is estimated to be in the millions of dollars, in monthly increments of $15 per victim. Google has subsequently deleted all 470 fraudulent apps from Play Store, and the scam services have been shut down, however, any user who already has one of the apps loaded could be actively attacked in the future. The apps can also be found in third-party app shops. 

Direct carrier billing (DCB) is a mobile payment technique which adds payments for non-telecom services to a consumer's monthly phone bill. It is used by customers worldwide, particularly in underbanked countries. It's a tempting target for opponents. 

The Dark Herring's long-term success was based on AV anti-detection skills, widespread distribution via a large number of programs, code encryption, and the use of proxy as first-stage URLs.While none of the aforementioned features are novel or surprising, seeing it together in one software program is unusual for Android fraud. Furthermore, the actors used a complex infrastructure which has accepted communications from all 470 application users yet handled each one individually based on a unique identity. 

It has no malicious code in the installed software, but it does have a hard-coded encoded string which refers to a first-stage URL located on Amazon's CloudFront.The server's answer includes links to further JavaScript files housed on Amazon Web Services servers, which are downloaded to the infected device. 

The campaign was able to last so long because the malicious users presented viewers with the expected functionality, an attempt to remain installed on the victims' devices. The Dark Herring applications begin interacting with the authoritarian (C&C) server once it has been installed on a device to send over the victim's IP address, which is used to track the victim for a direct carrier invoicing subscription. 

The victim is sent to a geo-specific webpage, where the user is asked about personal details like phone numbers, ostensibly for verification purposes. However, the victim has no idea, of sending contact information to a subscription plan."The victim does not understand the impact of the crime right away," Zimperium explains, "and the chance of the theft extending for months before discovery is high, with hardly any remedy to get one's money back." 

Given Dark Herring's evident accomplishments, Zimperium believes it is unlikely, the cybersecurity community will hear from this criminal outfit again.

Amazon's Bogus Crypto Token Investment Scam Robs Bitcoin off Users.

 

Investors are being misled into turning over Bitcoin in a new cryptocurrency fraud (BTC). Scams involving cryptocurrency and digital tokens have become commonplace, posing a risk to potential buyers. 

Exit scams, rug pulls, and theft are still common, despite the fact regulators throughout the world are cracking down on fraud through tax laws, securities offering registration, tougher restrictions governing cryptocurrency advertisements, and a careful check on initial coin offers (ICOs). The popularity of cryptocurrencies and NFTs continues to rise, creating breeding soil for new frauds to emerge on a regular basis.

Utilizing Amazon's branding to promote a bogus scheme entitled "Amazon to produce its digital token," cyber-criminals are luring users to give away private credentials from the first step of the scam campaign. 

According to Akamai experts, the ongoing cyberattack attempts have profited from the cryptocurrency hype, including scammers using a range of phishing methods based on false rumors. "This particular fraud preyed on consumers' fear of missing out on a special offer to participate in a new cryptocurrency opportunity". Furthermore, in 2021, according to Chainalysis, fraudsters have received around $14 billion in deposits.

Visitors were asked to purchase for the pre-sale tokens with users cryptocurrencies, such as Bitcoin (BTC) or Ethereum (ETH). However, as the tokens aren't real, the funds ended up in the hands of criminals. 

Another enticement is a referral programme that allows the attackers to increase the scope of the token fraud with no further effort. In all, mobile devices were used by the majority of visitors to the phoney token landing pages (98 percent). The distribution of mobile operating systems, however, favors Android handsets (56 percent), with Apple iOS coming in second (42 percent). North America, South America, and Asia account for the vast majority of victims.

To avoid being a victim of fraud like this, users are advised to take the following precautions: 

  •  Be wary of bitcoin marketing and social media posts. 
  •  Before submitting information and making a purchase, double-check URLs and websites. 
  •  Don't be fooled by high-pressure techniques like "flash sales," "just a few left," or "buy now."
  •  Look for legitimate sources while researching what to buy. 
  •  When you see scam ads or postings, report them so they can be removed from social media. 
  •  Be alert, and therefore don't believe everything. 
It's essential to avoid chatting with random commentators or accepting unsolicited invitations from strangers, especially now when social media-based communication is at its most over-used in the pandemic.

Malware Abcbot Related to the Xanthe Cryptomining Bug Developer's

 

Abcbot, the newly discovered botnet has a longer history than what was originally believed. The Xanthe-based cryptojacking campaign found by Cisco's Talos security research team in late 2020 has a clear link, according to the ongoing examination of this malware family. When Talos was notified of an intrusion on one of their Docker honeypots, they discovered malware that looked like a bitcoin mining bot. 

The virus is known as Xanthe, and its main goal is to mine cryptocurrency using the resources of a compromised system. Based on the findings, the same threat actor is behind both Xanthe and Abcbot, and its goal has shifted from mining cryptocurrency on compromised hosts to more classic botnet activity like DDoS attacks.

Abcbot attacks, first reported by Qihoo 360's Netlab security team in November 2021, are triggered by a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet but not before terminating processes from competing threat actors and establishing persistence. The shell script in question is an updated version of one found by Trend Micro in October 2021, which targeted Huawei Cloud's vulnerable ECS instances. 

Further investigation of the botnet, which included mapping all known Indicators of Compromise (IoCs) such as IP addresses, URLs, and samples, revealed Abcbot's code and feature-level similarities to that of a cryptocurrency mining operation known as Xanthe, which spread the infection using incorrectly configured Docker implementations. 

The semantic similarities between the two malware families range from the way the source code is formatted to the names given to the routines, with some functions having not only identical names and implementations (e.g., "nameservercheck"), but also have the word "go" appended to the end of the function names (e.g., "filerungo"). According to experts, Abcbot also contains spyware that allows four malicious users to be added to the hacked machine: 
  • Logger 
  • Ssysall 
  • Ssystem 
  • sautoupdater 
Researchers believe that there are substantial links between the Xanthe and Abcbot malware families, implying that the same threat actor is involved. The majority of these would be difficult and inefficient to recreate identically, including string reuse, mentions of shared infrastructure, stylistic choices, and functionality that can be seen in both instances. If the same threat actor is behind both campaigns, it signals a shift away from cryptocurrency mining on compromised devices and toward botnet-related operations like DDoS attacks.

Omicron Test Scam : A Free Test Is Available

 

Cybercriminals send emails containing malicious links and data, according to police sources. When individuals click on such a link or download a file, their system — whether it's a phone or a computer — is compromised, and hackers have access to sensitive data. The government recommended citizens examine the domain name and URL of websites to ensure their validity, and to report any such incidents to the cybercrime.gov.in portal. 

A warning has been issued by the Ministry of Home Affairs (MHA) against cybercriminals about offering free testing to potential victims in order to detect the Omicron variant. TheMHA's cyber and information security branch has issued the following advisory: "Due to the shift in focus to the health crisis, cybercriminals are taking advantage of the weakening of cyber defenses. Cybercriminals are always devising new methods of defrauding citizens. As time goes on, Omicron-themed cybercrime is becoming more prevalent. Cybercriminals are using a variety of strategies to commit cybercrime in order to take advantage of the continuously changing scenario and scam innocent victims."

Hackers in the United Kingdom have already begun to take advantage of the virus by sending out phishing emails offering free COVID-19 testing that claims to detect the new variant. In reality, hackers are attempting to dupe unwary users into divulging their personal data. According to a consumer watchdog group, the scam emails appear to come from the UK's National Health Service. The subject line of one email reads, "Get Your Free Omicron PCR Test - Apply Now to Avoid Restrictions. People who do not consent to a COVID-19 test and refuse to have a swab must be segregated," the email continues, in an attempt to terrify the user into complying. 

Users who fall for the ruse will be directed to a fake NHS website, which will ask for their full name, date of birth, address, phone number, and email address – all of which can be used to commit identity theft. The phishing emails are embellished with official-looking NHS logos by hackers. The scam emails were also received from the address "contact-nhs[AT]nhscontact.com."

Threat Actors are Abusing Glitch Platforms

 

Phishing hackers have turned their attention to the Glitch platform. It appears that cybercriminals are aggressively abusing the service to use it to host free phishing sites that steal passwords. Employees of large corporations and firms that collaborate with the Middle East are among those targeted. 

A report on this issue was published by DomainTools researchers; the phishing campaign, according to which, began in July 2021 and is currently ongoing. 

The threat actors work in the following manner:

• They send e-mail messages with PDF-based attachments that contain no harmful code to bypass antivirus alarms; 
• Instead, a particular link may be located in these PDFs and this link directs to a malicious website hosted on the Glitch platform; 
• In a total of 70 PDFs, researchers discovered several of these categories. 
•The particularities about these PDFs were the unique URL and the e-mail correlated with each of them. All these links are related to different “red.htm” pages hosted by Glitch. 

Glitch stands basically for a cloud-based hosting service. To deploy apps and websites, people can utilize Node.js, React, or a variety of dev platforms. In the context of a weak point, BleepingComputer pointed out, the Glitch platform's free edition, which allows users to create an app or a page, appears to be vulnerable to phishing attacks. They can also make it accessible for 5 minutes on the web. After the 5 minutes have passed, the user needs to manually enable this. 

Some aspects, such as the fact that Glitch's domains are considered favorably by security systems owing to the platform's legitimacy and the free version that is a path for threat actors to host their short-lived malicious URLs, constitute the perfect combination for threat actors.

Furthering the investigation, the researchers discovered a Glitch website linked to a commercial malware sandbox service. It contained a screenshot of a phishing login page of Microsoft SharePoint. 

Following the finding of the PDF that directed the researchers to that website, other HTLM documents associated with that sample were identified once it was submitted to Virus Total. After the pages were withdrawn, obfuscated JavaScript was discovered. These code pieces passed through the malicious Worpress sites and were then exploited to steal passwords. The researchers alerted Glitch about the situation, but no response has yet been received from the firm.

A URL Parsing Bug Left an Internal Google Cloud Project Open to SSRF Attacks

 

According to security researcher David Schütz, a URL parsing flaw exposed an internal Google Cloud project to server-side request forgery (SSRF) attacks. The bug, which Schütz detailed in a video and blog post, might have allowed an attacker to gain access to sensitive resources and perhaps launch harmful code.

Server-side request forgery is a web security flaw that allows an attacker to force a server-side application to send HTTP requests to any domain the attacker chooses. The attacker may cause the server to connect to internal-only services within the organization's infrastructure in a conventional SSRF attack. They may also be able to force the server to connect to arbitrary external systems, exposing sensitive data such as authorization credentials. 

Unauthorized activities or access to data within the company can often arise from a successful SSRF attack, either in the vulnerable application itself or on other back-end systems with which the programme can interface. The SSRF vulnerability could allow an attacker to execute arbitrary commands in some circumstances. An SSRF vulnerability that establishes connections with external third-party systems could lead to malicious attacks that appear to come from the company that hosts the vulnerable application. 

While researching Discovery Documents, data structures that give specifications for Google API services, Schütz discovered the problem. While looking through the Discovery Documents, Schütz came upon an intriguing service named Jobs API, which had the appearance of being an internal service. The Jobs API led him to an application on the Google App Engine that acted as a proxy, allowing him to access the API through Google's public product marketing pages. The proxy acted as an intermediate between the user and the API, which meant it had an access token that could be used to launch SSRF attacks. 

Request URLs were run via a whitelist to restrict access to internal Google resources. Schütz, however, was able to fool the URL parser and bypass the whitelist, allowing him to send requests to any server he wanted. This allowed him to send requests from the proxy app to a Google Cloud VPS server. The request revealed the proxy app's access token, which he could then use to send requests to other Google Cloud projects.

“This issue feels like an industry-wide problem since different applications are parsing URLs based on different specifications,” Schütz said. “After disclosing the initial issue in the Google JS library, I have already seen this getting fixed in products from different companies as well. Even though, this issue still keeps popping up even at Google. This SSRF is a great example of it.”

Major Breach of Biometric Systems Exposes Information of More Than 1 Million People



In a vulnerability found by Israeli security researchers there occurred a rather major breach of biometric systems that left data of more than 1 million individuals 'exposed' in an openly accessible database.

The frameworks influenced were said to have been utilized by the UK Metropolitan police, defence contractors, and banks, for fingerprint and facial recognition purposes.
It all started when the researchers found that the biometric data on 'Suprema's web-Biostar 2 platform' that controls access to secure facilities, was unprotected and 'mostly unencrypted.'

The affected database included 27.8 million records, totalling 23 gigabytes of data. A small and simple manipulation of the URL search criteria enabled access to the data as well as allowed room for some changes.

Purportedly, the researchers have now been searching for familiar IP blocks to further use these in order to discover holes in company’s frameworks that could conceivably prompt data breaches.
We were able to find plain-text passwords of administrator accounts. The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even. We [were] able to change data and add new users,” – Rotem and Locar, the security researchers.

Despite the fact that the vulnerability has been fixed, be that as it may, it is still in the news as the size of the breach was disturbing because the affected service is currently in use in approximately 1.5 million areas over the world.

Government of India blocked over 2,100 URLs







The Central Government of India has blocked over 2,100 URLs (Uniform Resource Locators) on social media platforms in the first six months of 2019. 

The Electronics and IT Minister Ravi Shankar Prasad informed the Parliament in a written reply to the Lok Sabha, said that a total of 633, 1,385 and 2,799 URLs were ordered for blocking in 2016, 2017 and 2018, respectively. 

“Section 69A of the Information Technology Act, 2000 empowers Government to block any information generated, transmitted, received, stored or hosted in any computer resource in the interest of sovereignty and integrity of India, defence of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above,” he said.

The Minister said that this action was taken by the government to make social media platforms safer place. 


According to the written statement submitted, Ministry of Electronics and IT (MeitY) and Ministry of Home Affairs (MHA), and various police departments regularly monitor the various social media platform in order to remove the objectionable content.

Yet Another Phishing Campaign by Hackers That Abuses QR Codes To Redirect Targets to Phishing Landing Pages



 Attackers come up with yet another phishing campaign that misuses QR codes to divert the targets to phishing landing pages. Researchers responsible for discovering this crusade distinguished that it quite effectively evades security solutions and controls intended to stop such attacks in their tracks.

The attackers previously utilized a URL encoded in a QR code target on the French Cofense customers to dodge the security software which dissects and accordingly blocks  suspicious or 'blacklisted areas' .

They even included a GIF image containing the QR code which would redirect them to the hxxps://digitizeyourart.whitmers[.]com/wp-content/plugins/wp-school/Sharepoint/sharepoint/index.php domain intended to act like a SharePoint-related site.

The phishing mails were disguised as a SharePoint email with a "Review Important Document" headline and a message body which would welcome potential victims to  "Scan Bar Code to View Document."
Phishing Email

Removing the victims from the overall safety of their computers thusly enables the cybercriminals to adequately sidestep any link protection services ,secure email portals, sandboxes, or web content filters set up by the targets' corporate information security department.

To make the attack considerably progressively fruitful against mobile users, the attackers have likewise upgraded their landing pages for smartphones with the phishing page and thus providing a custom view on the mobile devices.

Phishing landing page
Researchers from Cofense, the leading provider of human-driven phishing defense solutions world-wide, state that QRishing is a fairly notable technique utilized by cybercriminals to abstain from phishing filters and security solutions build especially to block such attacks before the pernicious emails reach the targets' inboxes.

Phishing landing page on a mobile

Along these lines , a conceivable protection against them named QRCS (Quick Response Code Secure), which would be "a universal efficient and effective solution focusing exclusively on the authenticity of the originator and consequently the integrity of QR code by using digital signatures, “was proposed in a paper from the Carnegie Mellon University's CyLab Study , which could perhaps prove to be valuable later on in the future.