- Exclusive – APT group exploited still unpatched zero-day in IE dubbed ‘double play’
- iOS users can now use Google prompt on their devices via the Gmail app
- A flaw in LinkedIn feature allowed user data harvesting
- At least 20 Million Chrome users have installed malicious Ad Blockers from Chrome store
Posted: 20 Apr 2018 10:20 AM PDT
Security researchers at the 360 Core Security observed an APT group exploiting a zero-day vulnerability in IE, dubbed 'double play'. The flaw is still unfixed.
Security researchers at the 360 Core Security uncovered a zero-day vulnerability in IE, dubbed 'double play', that was triggered by weaponized MS Office documents. The experts have been observing an APT group targeting a limited number of users exploiting the zero-day flaw.
At the time of writing the expert did not reveal the name of the APT because of ongoing investigation, most of the victims are located in ASIA.
According to the experts at 360 Core Security, users may get hacked by simply opening a malicious document. Hackers can use the 'double play' flaw to implant a backdoor Trojan and take full control over the vulnerable machine.
Through source analysis, 360 Security experts were able to discover the attack chain and reported it to Microsoft.
The APT group was delivering an Office document with a malicious web page embedded, once the user opens the document, the exploit code and malicious payloads are downloaded and executed from a remote server. The later phase of this attack leverages a public UAC bypass technique and uses file steganography and memory reflection loading to avoid traffic monitoring and achieve loading with no files.
This 'double play' vulnerability may affect the latest versions of Internet Explorer and applications that are with IE kernel.
Experts at 360 Core Security are urgently promoting the release of the patch.
“At present, 360 is urgently promoting the release of the patch.” states 360 Core Security.
“We would like to remind users not to open any unfamiliar Office documents and use security software to protect against possible attacks.” states 360 Core Security.
Below the timeline of the zero-day:
April 18. 360 Core Security detected the attack;
April 19. Experts reported the flaw to Microsoft.
April 20. Microsoft confirmed the existence of the zero-day. Microsoft hasn’t yet released t patch.
The post Exclusive – APT group exploited still unpatched zero-day in IE dubbed ‘double play’ appeared first on Security Affairs.
Posted: 20 Apr 2018 05:29 AM PDT
Google announced that iOS users can now benefit from Google prompt feature via their Gmail application. Security and usability are crucial requirements for Google.
Google announced that iOS users can now receive Google prompts via their Gmail application.
“In 2017, we made Google prompt the primary choice for G Suite users turning on two-step verification for the first time. Back then, we noted that users with iOS devices would need to install the Google app in order to use the feature.” reads the blog post published by Google.
"Today, we're making it possible for users with iOS devices to receive prompts via their Gmail app as well. This should encourage more people to use Google prompt, which is an easier and more secure method of authenticating an account,"
Google prompt was designed to inform users of any attempt to log into their accounts and confirm it with a tap on their mobile devices.
Gmail users can approve sign-in requests via 2-Step Verification (2SV) by simply taping a "Yes" button on their smartphone since June 2016.
The 2-Step Verification process leverages login authentication code sent via SMS, once the user has received it, he will need to enter it on a sign in page.
The tech giant has launched the Google prompt to make this process simpler, it displays a popup message on the user's mobile devices asking them to confirm the login with a single tap.
Google prompt was rolled out to both Android and iOS devices, but on iOS, the users need to have the Google Search app installed.
In October 2017, Big G introduced Google prompt in the G Suite. The company implemented the feature to all of its users who choose to enable the extra layer of security, but in order to use it, iOS users need to have the Google app installed on the device.
Now Google has overwhelmed this limitation and iOS users can benefit from the Google prompt without having Google app installed.
iOS users who have both the Google app and Gmail app installed on their devices will receive the prompts from Gmail.
The availability of Google prompt in Gmail for iOS will be available to all users in a few days.
(Security Affairs – Google prompt, iOS)
The post iOS users can now use Google prompt on their devices via the Gmail app appeared first on Security Affairs.
Posted: 20 Apr 2018 02:26 AM PDT
The researcher Jack Cable (18) has discovered a vulnerability in LinkedIn, the AutoFill functionality, that allowed user data harvesting.
While experts and people are discussing the Cambridge Analytica case another disconcerting case made the headlines, the private intelligence agency LocalBlox has left unsecured online an AWS bucket containing 48 million records that were also harvested from Facebook, LinkedIn, and Twitter.
No doubt, data harvesting is a common practice and we are only discovering the tip of the iceberg, many companies and intelligence agencies do it for different reasons.
Sometimes this activity is advantaged by security flaws in the features implemented by the social media platforms.
Early April, Mark Zuckerberg admitted public data of its 2.2 billion users has been compromised over the course of several years by third-party actors that gathered information on its users. Third-party scrapers have exploited an issue in the Facebook's search function that allows anyone to look up users via their email address or phone numbers.
Now the researcher Jack Cable (18) has discovered a flaw in LinkedIn, the AutoFill functionality, that allowed user data harvesting.
The AutoFill functionality allows to quickly fill out forms with data from their LinkedIn profile, including name, title, company, email address, phone number, city, zip code, state, and country.
Cable explained that it is possible to exploit the function to harvest user data by placing the AutoFill button on a malicious website, rather than leaving the LinkedIn button visible on the page the attacker could have changed its properties and locate it everywhere in the page making it invisible.
With this trick, that clearly violates LinkedIn’s privacy policies, when a user would visit the malicious site and click anywhere on the page, it unawares clicks on the invisible AutoFill button, resulting in his LinkedIn data being harvested.
“The potential for exploitation existed until being patched 04/19/18, as any whitelisted website can access this information with a single click.” wrote Cable.
“The exploit flowed as follows:
Cable pointed out with this trick it is possible to access also non-public data was also provided to a site abusing AutoFill function, even if LinkedIn states in its documentation that only public data is provided to fill out forms.
Cable reported the flaw to LinkedIn on April 9 and the company temporary restricted the AutoFill functionality to whitelisted sites. Of course, the problem was not completely addressed in this way, an attacker that was able to compromise the whitelisted site was still in position to harvest data from LinkedIn.
On April 19, LinkedIn published a stable fix for the issue.
LinkedIn said it is not aware of there had been no evidence of malicious exploitation, but I’m sure that many of view has a different opinion.
(Security Affairs – LinkedIn, data harvesting)
The post A flaw in LinkedIn feature allowed user data harvesting appeared first on Security Affairs.
Posted: 20 Apr 2018 12:57 AM PDT
A security researcher has discovered five malicious Ad Blockers extensions in the Google Chrome Store that had been installed by at least by 20 million users.
The security researcher Andrey Meshkov, co-founder of Adguard, has discovered five malicious Ad Blockers extensions in the Google Chrome Store that had been installed by at least by 20 million users.
The fake Ad blockers are
The five extensions are clone versions of well-known Ad Blockers, searching for Ad Blockers in Google Chrome Store we can notice that crooks used popular keywords in the extension description in the attempt to display them in the top search results.
“t’s been a while since different “authors” started spamming Chrome WebStore with lazy clones of popular ad blockers (with a few lines of their code on top of them).” wrote Meshkov.
“Just look at the search results. All the extensions I’ve highlighted are simple rip-offs with a few lines of code and some analytics code added by the “authors”. Instead of using tricky names they now spam keywords in the extension description trying to make to the top search results.”
The analysis of the code of the Ad Blockers revealed that the developers just added a few lines of code and some analytics code to the code of the legitimate extension.
Meshkov reported his discovery to Google that immediately removed all from the Chrome Store.
The malicious code includes a modified version of jQuery library that hides the code to load the coupons.txt a strange image from a third-party domain http://www[.]hanstrackr[.]com.
The jQuery library includes a script that is able to send information about some websites visited by the users back to a remote server.
“This hidden script was listening to every request made by your browser and compared md5(url + “%Ujy%BNY0O”) with the list of signatures loaded from coupons.txt. When the said signature was hit, it loaded an iframe from the g.qyz.sx domain passing information about the visited page, and then re-initialized the extension.” continues the expert.
The expert noticed that the default image/script does nothing malicious, but it can be changed at any time to perform malicious activity. It is executed in the privileged context (extension’s background page), in this way it has full control of the browser.
The remote server sends commands to the malicious extension, which are executed in the extension ‘background page’ and can change your browser’s behavior in any way.
“Basically, this is a botnet composed of browsers infected with the fake Adblock extensions,” Meshkov added. “The browser will do whatever the command center server owner orders it to do.”
Meshkov has scanned other extensions on the Chrome WebStore and found four more extensions developed with a very same approach.
Be careful of what you install, install only necessary extensions from trusted developers and company.
The post At least 20 Million Chrome users have installed malicious Ad Blockers from Chrome store appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|