Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

VoIP
Bandwidth Cyber Attcaks DDoS DDOS Attack Outage VoIP

Bandwidth Suffers Outages Caused by DDoS Attack

 

Within the last couple of days, Bandwidth.com has been the latest target of distributed denial of service attacks targeting VoIP companies. 

Bandwidth, a firm providing Voice over Internet Protocol (VoIP), services to companies and resellers, revealed that it suffered a failure after reporting on the DDoS attack on the 27th of September, Monday night. 

Bandwidth Chief Executive Officer David Morken confirmed the incident and also claimed that "a number of critical communications service providers have been targeted by a rolling DDoS attack." Bandwidth started reporting unintended voice and messaging services breakdown from September 25 at 3:31 p.m. EST. 

Bandwidth has since provided periodic status updates describing voice disruptions, improved services 911 (E911), messaging, and portal access. As Bandwidth is among the world's major voicemail service providers for IP firms, several other VoIP suppliers, including Twilio, Accent, DialPad, Phone.com, and RingCentral, have experienced disruptions throughout the past few days. 

While the fact that all those failures are linked to a service outage has not been established, one failure report specifically cites Bandwidth while the others say an upstream provider is implicated. "While we have mitigated much-intended harm, we know some of you have been significantly impacted by this event. For that, I am truly sorry. You trust us with your mission-critical communications. There is nothing this team takes more seriously," Morken said. 

The firm continues to monitor the circumstance with the network services and technical teams and actively engages with the customers to deal with any questions. The company mentioned that they’re going to post updates to status.bandwidth.com because they have further information to provide.

Since the statement was issued, the firm updated the details of a number of incoming and outgoing calling services with partial outages. 

On its Cloud Service Status page, Accent said on Tuesday that the "upstream provider continues to acknowledge the DDoS attack has returned to their network however we are seeing a very limited impact to inbound calling for our services." 

"Mitigation steps are being put in place to route inbound phone numbers around the upstream carrier the impact to service grows. We will continue to monitor the situation and update the status as appropriate," Accent wrote. 

Further, on Monday, a source said that their clients were experiencing serious issues with their migrated phone lines. The firm is the downstream retailer of Bandwidth hosted products and claimed that because of the bandwidth problem, they knew major telecoms company that "was in emergency mode".

Considering VoIP services are usually routed through the internet and necessitate public access to their servers and endpoints, they are indeed the main targets for DDoS extortion. Hackers would be overwhelmed by the transmission of more queries than possible to carry out these DDoS assaults, and the targeted devices and servers will not be available to everyone else. 

"Bandwidth continues to experience a DDoS attack which is intermittently impacting our services. Our network operations and engineering teams continue active mitigation efforts to protect our network," reads a screenshot shared on Reddit. 

Monday night, Bandwidth said that it had restored its services, although it was not apparent if threats were ceased or demands were fulfilled as asked by the actors. Nevertheless, it is usual for cybercriminals to stop attacks momentarily while pushing for extortion, while on Tuesday morning the DDoS attacks were resumed. 
Read more »
Window Domains
Backdoor Custom Malware malware Nobelium APT Window Domains

Nobelium APT Group Uses Custom Backdoor to Target Windows Domains

 

Researchers from Microsoft Threat Intelligence Center (MSTIC) identified FoggyWeb, a new custom malware utilized by the Nobelium APT group to distribute further payloads and steal critical information from Active Directory Federation Services (AD FS) servers. 

FoggyWeb is a post-exploitation backdoor utilized by the APT group to remotely exfiltrate the setup databases of affected Active Directory Federation Services (AD FS) servers, as well as the decrypted token-signing and token-decryption certificates. It also enables threat actors to download and execute additional elements. 

The analysis published by Microsoft stated, “Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.” 

“Use of FoggyWeb has been observed in the wild as early as April 2021.” 

The hackers load FoggyWeb from the encrypted file Windows.Data.TimeZones.zh-PH.pri using the version.dll DLL. The version.dll is loaded by the AD FS service executable 'Microsoft.IdentityServer.ServiceHost.exe' via the DLL search order hijacking approach, which involves the core Common Language Runtime (CLR) DLL files. 

To decrypt the backdoor directly in memory, the loader employs a proprietary Lightweight Encryption Algorithm (LEA) function. The backdoor sets up HTTP listeners for actor-defined URIs in order to intercept GET/POST requests to the AD FS server that match the custom URI patterns. 

Microsoft researchers offered the following advice to companies that have been affected or are suspected of being under attack by the group: 
  • Examine your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and any other modifications made by the actor to retain their access. 
  • Remove user and app access, evaluate each's settings, and re-issue fresh, strong credentials in accordance with established industry best practices. 
  • To prevent the exfiltration of secrets via FoggyWeb, use a hardware security module (HSM), as explained in Securing AD FS servers. 
The NOBELIUM APT is the threat actor behind the SolarWinds supply chain assault, which included various implant families such as the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors. 

NOBELIUM focuses on government agencies, non-governmental organizations (NGOs), think tanks, military, information technology service providers, health technologies and research, and telecommunications providers.
Read more »
United States
APT China Cyber Attacks Telecom Firms Threat actors United States

Threat Actors from China Infiltrated a Major Afghan Telecom Provider

 

Just as the US was completing its withdrawal from Afghanistan, several China-linked cyberespionage groups were seen intensifying attacks on a major telecom corporation. Recorded Future, a threat intelligence firm, reported on Tuesday that it has witnessed four different Chinese threat groups target a mail server belonging to Roshan, a large telecom provider in Afghanistan with over 6.5 million subscribers. 

According to Doug Madory, Director of Internet Analysis at Kentik and a veteran observer of worldwide traffic trends, “Roshan is one of the largest suppliers of Internet access to the people of Afghanistan” and a major source of online traffic in and out of the nation. 

Calypso and RedFoxtrot, as well as two different Winnti and PlugX activity clusters that Recorded Future researchers were unable to link to other known actors, carried out the attacks. The researchers believe it's not unusual for Chinese hackers to target the same Roshan mail server because they often have diverse intelligence requirements and don't coordinate their actions. 

Some of the groups had been able to access the mail server for months, but the attacks seemed to pick up steam in August and September, just as US forces were leaving Afghanistan. During this time, the researchers noted an uptick in data exfiltration activity. 

Roshan was told of the compromises by Recorded Future before Insikt Group made the assaults public. A Chinese Embassy spokesperson described pinpointing the source of cyber assaults as a "difficult technological problem" in an email sent after the report was posted. 

“Linking cyber-attacks directly to one certain government is a highly sensitive political issue. China hopes that relevant parties will adopt a professional and responsible attitude,” the statement said. “Qualitativing cyber incidents must be based on sufficient evidence instead of groundless speculation,” the spokesperson wrote. 

The first activity linked to Roshan, according to the experts, was tied to the suspected Chinese state-sponsored group Calypso Advanced Persistent Threat (APT). That infiltration appears to have started in July 2020 and continued through September 2021, with a spike in activity in August and September of this year. 

From at least March through May of this year, the researchers discovered the same Roshan mail server connecting with the infrastructure of another known suspected Chinese APT group, RedFoxtrot. 

According to an Insikt report published Tuesday, RedFoxtrot also appeared to have infiltrated another undisclosed Afghan cellular operator during this time. RedFoxtrot was previously identified as targeting unnamed telecommunications firms in Afghanistan, India, Pakistan, and Kazakhstan, according to a study published by the research team in June. The RedFoxtrot was also linked to Unit 69010 of the People's Liberation Army in Ürümqi, Xinjiang, according to the study.
Read more »
Russia
Cyber Security Japan Japan Cyber Security National Cyber Security Russia

Japan mentioned Russia in its new cybersecurity strategy

The Japanese government on Tuesday officially approved a new three-year cybersecurity strategy, where Russia, China and North Korea are mentioned for the first time as potential sources of hacker attacks. The document is published on the website of the Cyber Strategic Headquarters of Japan.

Japanese Foreign Minister Toshimitsu Motegi said at a press conference in Tokyo that the sphere related to security guarantees is expanding. The importance of such areas such as cyberspace and space security is growing.

According to him, the security situation around Japan is becoming increasingly severe. It is believed that China, Russia and North Korea are strengthening their potential in cyberspace, and the instability of the world order is also increasing.

He added that Japan, based on the adopted strategy, will increase its capabilities to counter attacks by foreign hackers.

The document claims that China conducts cyber attacks in order to obtain military and other advanced technologies, and Russia allegedly to achieve beneficial military and political goals in other countries. According to the approved strategy, to strengthen the cyber potential, Japan intends to work closely with the participants of the Quadrilateral Security Dialogue, which also includes Australia, India and the United States.

It should be noted that in Japan, more than 4 thousand attempts of illegal penetration into various computer networks and systems are recorded annually. In particular, large electrical engineering corporations NEC and Mitsubishi Electric have become victims of intruders in recent years.

Western countries have repeatedly made allegations that Russia is involved in various cyber attacks, including against US government agencies and companies. The Russian side has consistently denied these accusations. In particular, the press secretary of the President of the Russian Federation Dmitry Peskov said earlier that Moscow is not involved in such hacker attacks.

Read more »
User Security
Data Breach Exposed Data Kids App User Privacy User Security

Kids Fairy Tale App Farfaria Exposed Data of 2.9 Million Users

 

Cybersecurity researcher at Comparitech has identified a misconfigured MongoDB database containing a treasure trove of data left uncovered to the public without any password or security authentication. The exposed data belongs to FarFaria, a San Francisco, CA-based company that offers fairytales for kid’s service through Android and iOS apps. 

According to Bob Diachenko, the head of security research at Comparitech, the exposed database contained 38 GB worth of data with contact information and login credentials of 2.9 million users such as email addresses, authentication tokens, encrypted passwords, number and timeline of logins, and social media tokens (if logged in from social media accounts).

After spotting the data leak on August 9th, 2021, the researcher immediately reported the incident to FarFaria. However, the firm did not respond to the researcher but secured the database the very next day.

The main concern for FarFaria users is 'targeted phishing attacks.' Cybercriminals can target users via email, text, or phone calls. Additionally, scammers can trick users to divulge additional information such as account details by posing as FarFaria employees. The leaked data contains the number of authentication tokens that could prove particularly useful to criminals looking to carry out complex phishing attacks on the users, Diachenko warned. 

“There is an unimaginable measure of digital danger implied with the present more youthful age, as youngsters are progressively utilizing the web for their schooling and exercises. With 2.9 million FarFaria client records uncovered, it’s logical the data has as of now been spilled on the dim web, putting kids in more serious peril of being exploited online from a lot more youthful age than past ages,” Robert Prigge, CEO of financed personality confirmation organization Jumio Corp. told SiliconANGLE.

Earlier this year in August, Risk-Based Security published their 2021 Mid Year Data Breach QuickView Report, revealing the decline in reported data breaches by 24%. There were 1,767 publicly reported breaches in the first six months of 2021, which exposed a total of 18.8 billion records. However, the decline in data breach incidents does not mean organizations have enhanced their security system.

“Analyzing breach activity has become especially interesting and important over the past two years. While some trends remain largely untouched, new trends are emerging. The method of how attackers monetize their efforts has diversified, and at the same time, preventable errors are outpacing hackers when it comes to the amount of data exposed. The amount of data compromised remains stubbornly high and with another sizable Q2 breach yet to be confirmed, it is possible that the number will climb over 19 billion in the near future,” stated Inga Goddijn, Executive Vice President at Risk Based Security.
Read more »
Working Exploit
Remote Code Execution Reverse Shell Vulnerabilities and Exploits Working Exploit

Working Exploit Is Out for VMware vCenter CVE-2021-22005 Flaw

 

A fully working exploit for the remote code execution vulnerability in VMware vCenter labelled as CVE-2021-22005 is now publicly accessible, and is being exploited in the wild.

In contrast to the version that began to circulate at the end of last week, this variation can be used to open a reverse shell on a vulnerable system, permitting remote attackers to launch code of their preference. The flaw requires no authentication and permits intruders to upload a file to the vCenter Server analytics service. 

On Monday, exploit writer wvu published a declassified exploit for CVE-2021-22005 which targets endpoints that have the Customer Experience Improvement Program (CEIP) component activated, which is the default setting. 

Moreover, VMware defines the vulnerability as exploitable "by anyone who can reach vCenter Server over the network to gain access, regardless of vCenter Server's configuration settings." wvu describes what their code does at every level in a technical study released this week, beginning with a request that generates the directory required for path traversal and schedules the spawn of a reverse shell. 

Although the exploit creates several files, the attack is not logged by standard solutions, as per the researcher, who suggests utilizing the Audit framework, which gathers data on both security and non-security-related events. 

On September 21, VMware published CVE-2021-22005, with a severe severity rating of 9.8 out of 10, and a piece of clear advice for companies to consider “an emergency change” in accordance with ITIL best methods for handling IT services, and patch “as soon as possible.” 

CISA also encouraged major infrastructure firms with susceptible vCenter servers to prioritize upgrading the machines or use VMware's interim fix in a warning issued on Friday. 

The initial proof-of-concept exploit code was made public four days later. Although the code was inactive in its initial version, it could readily be exploited to accomplish remote code execution, and attacks began quickly. 

Following an analysis of the unfinished code, CERT/CC vulnerability expert Wil Dormann stated that "the missing portion from this PoC will indeed keep away script kiddies, but not any determined actor,” adding that a complete attack should be available shortly. 

Threat actors showed interest in it just hours after VMware reported the vulnerability, and they rapidly developed a workable attack using the unfinished code that security researcher Jang provided last week along with some technical comments. 

With a fully functional vulnerability being accessible, the number of attacks is estimated to escalate as less-skilled actors can engage.VMware alerted that becoming the victim of a ransomware assault is one of the most serious threats to a company.
Read more »
Vulnerability
Cyber Security Microsoft Microsoft Exchange Mitigation Vulnerability

Latest Microsoft Exchange Server Feature Mitigates High-Risk Bugs

 

One of the prominent targets for hackers is Microsoft Exchange, and the attack vector typically involves a popular vulnerability which the organization hasn't recently patched. A new solution by Microsoft aims at providing urgent protection after several attacks over the last year that used zero-days against on-site versions of Microsoft Exchange servers. 

Microsoft has implemented a new Exchange Server capability that automatically implements interim mitigations to protect on-site systems against incoming cyberattacks, against high-risk (and probably regularly exploited) security vulnerabilities, and allows administrators to deploy security upgrades. 

This update comes following a series of zero-day vulnerabilities detected in Microsoft Exchange, which was used to infiltrate servers by state-supported hacker organizations with no patch or mitigation information accessible for administrators. 

Built on the Microsoft Emergency Exchange Mitigation (EM), which was launched in March to limit the attack surface, exposes the ProxyLogon vulnerabilities, the new Exchange Server component, suitable for the Microsoft exchange Emergency Mitigation (EM) service. EM is operating on Exchange Mailbox servers as a Windows service. 

After implementing the September 2021 (or later) CU on Exchange Server 2016 or Exchange Server 2019 it will be installed automatically on servers having the Mail Box role. It detects Exchange Servers susceptible to one or many known threats and provides provisional mitigation until security updates can be installed by administrators. 

Automatically deployed EM service mitigation is temporary until the security update could be loaded that resolves the issue and does not supersede Exchange SUs. 

"This new service is not a replacement for installing Exchange Server Security Updates (SUs), but it is the fastest and easiest way to mitigate the highest risks to Internet-connected, on-premises Exchange servers before installing applicable SUs," the Exchange Team explained. 

EM is an EOMT variant created in an Exchange server that can download from and defend against high-risk issues with existing mitigation using the cloud-based Office Config Service (OCS). Admins may deactivate the EM service unless Microsoft would like to automatically implement attenuations to its Exchange servers. They may also manage applied mitigation strategies via PowerShell cmdlets or scripts that allow mitigations to be seen, reapplied, blocked, or removed. 

"Our plan is to release mitigations only for the most severe security issues, such as issues that are being actively exploited in the wild," the Exchange Team added. "Because applying mitigations may reduce server functionality, we plan on releasing mitigations only when the highest impact or severity issues are found."
Read more »
Spear Phishing attacks
Cyber Attacks data steal Microsoft Exchange Office 365 Spear Phishing attacks

Spoofed Zix Encrypted Email is Used in Credential Spear-Phishing

 

Hackers have used a credential phishing attack to steal data from Office 365, Google Workspace, and Microsoft Exchange by spoofing an encrypted mail notification from Zix. According to Armorblox security researchers, the assault impacted around 75,000 users, with small groups of cross-departmental staff being targeted in each customer environment. 

Social engineering, brand impersonation, replicating existing workflows, drive-by downloads, and accessing valid domains were among the methods employed by the hackers to obtain data. “Secure Zix message” emails were sent to victims. In the body of the email, there was a header that repeated the email subject and claimed the victim had received a secure communication from Zix, a security technology company that provides email encryption and data loss prevention services.

The victim is invited to view the secure message by clicking on the "Message" button in the email. While the phoney email is not a facsimile, it is similar enough on the surface to fool the unwary victims. According to researchers, clicking the “Message” link in the email causes an HTML file entitled “securemessage” to be installed on the victim's PC. The file could not be opened in a virtual machine (VM) because the download redirect did not show within the VM.

Using valid (albeit unrelated) domains to send emails, according to Armorblox researcher Abhishek Iyer, is “more about tricking security measures (i.e. evading authentication checks) than it is about tricking recipients, especially if the domains are not forged to appear like the real thing.”

A Verizon credential phishing campaign located on the website of a Wiccan coven, for example, was discovered by Armorblox last year. Another example is an Amazon credential phishing email sent from the domain of Blomma Flicka Flowers, a tiny floral design firm situated in Vermont. Under the pretext of Amazon item delivery notices, the campaign intended to steal passwords and other personal information. 

“Whether these domains are used to send the email or host the phishing page, the attackers’ intent is to evade security controls based on URL/link protection and get past filters that block known bad domains,” Iyer said via email.

"To host phishing pages on legitimate domains, attackers usually exploit vulnerabilities in the web server or the Content Management Systems (CMS) to host the pages without the website admins knowing about it," he continued.
Read more »
Russian Cyber Security
Cyber Security Russia Russian Cyber Security

Russia will develop a new cyber security standard

Positive Technologies is developing a new concept of cyber security standard. The document should become an open knowledge base, which will be exchanged between specialists to improve their qualification.

Today, each company sets up its own information security parameters; when a single standard appears, organizations will be able to develop the most effective solutions together.

Experts noted that the document will also help solve the problem of personnel shortage in the IT industry: specialists from other fields interested in information security will be able to get additional skills in this database and retrain to work in this field.

Oleg Gubka, Development Director of the Avanpost company, agrees that the initiative is relevant, but, in his opinion, the standard will be effective if it is developed well.

He believes that it is necessary to create an expert council of representatives of companies who would carefully study all sections of the standard according to their successful projects.

"Information security standards have existed for a long time, why come up with another one is a big question," said Fyodor Dbar, commercial director of Security Codes. 

He believes that this will not help solve the problem of inefficient spending of budgets on information security products, since cybersecurity strongly depends on the development of the organization and the attention of its top officials to launching new processes. And the driver in the cyber security market is not standards, but events such as the mass transfer of employees from the office to remote work or the emergence of new regulatory requirements.

According to Alexander Konovalov, Technical Director of Varonis Systems in Russia, there are enough standards, methods, training systems and guidance documents in this industry. He emphasizes that the problem lies in the work overload of specialized employees who are busy with “routine” and cannot fully master the acquired hardware and software for data protection. Therefore, the solution could not be another standard, but the expansion of the staff of information security departments.

Read more »
Smartphones
Cyber Security France French Government Israel Pegasus Smartphones

5 French Minister Phones Affected with Pegasus Spyware

 

At least five French ministers and President Emmanuel Macron's diplomatic advisor mobile phones have been infected by Israel-made Pegasus spyware, whistle-blowers confirmed on Friday 24th of September. 

As per a Mediapart report on Friday, French security agencies have discovered software during the phone inspection, with breaches reported in 2019 and 2020. 

In July Pegasus produced by NSO Group, the Israeli company, was already in the middle of a hurricane following a list of around 50,000 possible surveillance targets worldwide leaking to the media, and was capable of switching the camera or microphone and harbor their data. 

The insinuation was made about two months after the Pegasus Project, the media consortium which included the Guardian, found that a leaked database at the core of the investigatory project included contact information of top France officials, including French President Emmanuel Macron and most of its 20-strong cabinet. 

There is no strong proof of successful hacking of phones of the five cabinet members however media reports suggest that the devices were targeted by the potent spyware known as Pegasus, which is created by the NSO Group. 

Pegasus enables users to track the conversation, text messages, pictures, and location whenever installed effectively by government customers within the Israeli firm and can convert phones into remotely controlled listening devices. 

The consortium of Pegasus Project, organized by the French Forbidden Stories non-profit media, showed that international customers of NSO utilized hacker tools to attack journalists and human rights organizations. 

NSO reportedly stated that its strong malware is designed not to target civilian society members but to probe severe criminals. It has stated it has no link to the leaked database reviewed by the Pegasus Project and also the tens of thousands of numbers included do not target NSO customers. It has also firmly disputed that Pegasus Spyware has always targeted Macron. 

In a statement released on Thursday night, NSO said: “We stand by our previous statements regarding French government officials. They are not and have never been Pegasus targets. We won’t comment on anonymous source allegations.” 

Furthermore, the authenticity of the allegation was verified by two French individuals with knowledge of the inquiry, but they asked not to be named since they had not been allowed to talk to the media. 

"My phone is one of those checked out by the national IT systems security agency, but I haven't yet heard anything about the investigation so I cannot comment at this stage," Wargon told the L'Opinion website Friday. 

Mediapart stated that the handsets of the ministers for education (Jean-Michel Blanquer), Jacqueline Gourault, Julien Denormandie, Emmanuelle Wargon, Sébastien Lecornu and others – displayed indications of the virus Pegasus. The report noted that at the time of the allegations of targeting that happened in 2019 and less often in 2020, not all the Ministers had their current roles, but all were Ministers. The phone of the Macron Diplomatic Consultants at the Elysee Palace was also targeted. 

The Élysée Palace also stated that it would not comment on “long and complex investigations which are still ongoing”. 

The Prosecutor's Office refused to comment or to clarify whether or whether not the ministers' phone hacking had been found, stating that the investigation was subject to judicial confidentiality regulations. Although since the end of July, when the palace officials notified prudence, the Élysée has not reacted to the Pegasus affair and said that “no certainty at this stage”.
Read more »
User Security
Cryptocurrency Users Cyber Fraud Firefox Add-On User Security

A Malicious Firefox Add-On Targets Cryptocurrency Users

 

Covid-19 pandemic has turned the world upside down in the last year and a half, leaving us with no option but to rely more on digital solutions – from using food delivery to online banking. Needless to say, the more one relies on the digital world, the more vulnerable one becomes to online scams. 

Now, scammers are targeting cryptocurrency users via a Firefox add-on named after SafePal. Dozens of Firefox users have fallen prey to an add-on masquerading as a valid extension of the SafePal cryptocurrency hardware wallet. What’s surprising is that this malicious add-on has lived on Mozilla’s Firefox web browser for almost seven months. 

SafePal is a cryptocurrency wallet application capable of safely holding over 10,000 asset types, including Bitcoin, Ethereum, and Litecoin. It is backed by Binance and it is now being used by over 2 million users in over 146 countries across the globe. While Safepal has official smartphone apps available on both the Apple AppStore and Google Play, no genuine Safepal extensions are known to exist for the Firefox browser. 

The issue was highlighted by one of the victims, named Cali, in Firefox support group. “Today I browsed true the add-on list of Mozilla Firefox I was searching for Safepal wallet extension to use my cryptocurrency wallet also in the web browser. So, my searching ended on the following page: https://addons.mozilla.org/nl/firefox/addon/safepal-wallet/ 22,” she wrote on the support page.

“8 hours later I checked if my funds were still saved on my phone software wallet also from Safepal I saw nothing $0,- balance I was deep in shock I saw my last transactions and saw that my funs ($4000),” she added.

As reported on the Safepal Wallet home page, the add-on was released on 16 February 2021. The same page says that the 235 KB add-on is a Safepal application that securely "saves private key locally." It also has product images and convincing-looking marketing materials.

In order to publish an add-on on Mozilla's website, developers are required to follow a thorough submission process. Firefox’s developer platform says that the submitted add-ons are "subject to review by Mozilla at any time." However, the extent of such a review isn’t specified, nor has Mozilla explained how the fake add-on managed to get listed. 

Fortunately, Mozilla Firefox has taken down the extension. “When we become aware of add-ons that pose a risk to security and privacy according to our Add-on Policies, we take steps to prevent them from running in Firefox. In this instance, shortly after we became aware of potential abuse by this extension, we took action to block and remove it from the Firefox Add-on store," a Mozilla spokesperson stated.
Read more »
Subscribe to: Comments (Atom)